Canadian Centre for Cyber Security News

This joint guidance has been developed with contributions from partnering agencies and is part of a series of publications aiming to draw attention to the importance of cyber security in operational technology.

<article data-history-node-id="6835" about="/en/news-events/statement-canadian-centre-cyber-security-malware-targeting-global-organizations-through-cisco-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), is urging Canadian organizations to take immediate action to protect themselves in response to a serious new cyber security threat identified today by Cisco: <a href="https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks">Cisco Event Response: Continued Attacks Against Cisco Firewalls</a>. This threat affects end-of-life Cisco <abbr title="Adaptive Security Appliance">ASA</abbr> devices.</p> <p>Timing is crucial when vulnerabilities like these are identified. We strongly recommend network defenders bolster their defences based on our latest alert and advisory, and apply appropriate patches immediately.</p> <ul><li>Read the Cyber Centre’s alert on this threat: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="0594ba8c-7337-46bf-b42f-e2761f463f06" href="/en/alerts-advisories/al25-012-vulnerabilities-impacting-cisco-asa-ftd-devices-cve-2025-20333-cve-2025-20362-cve-2025-20363">AL25-012 – Vulnerabilities impacting Cisco ASA and FTD devices – CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363</a></li> <li>Read the Cyber Center’s advisory on this threat: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="cd17a5c1-7289-4cfd-b5eb-d434993b77d2" href="/en/alerts-advisories/cisco-security-advisory-av25-619">Cisco security advisory (AV25-619)</a></li> </ul><p>This threat activity uses advanced techniques to avoid detection, making it difficult to identify through conventional means. If you believe your organization may be affected, please call us <a href="tel:+18332923788">1-833-CYBER-88</a> or email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> as soon as possible.</p> <h2>Quotes</h2> <blockquote> <p>"This is a critical moment for Canadian organizations. Threat actors are targeting legacy systems with increasing sophistication. I urge all critical infrastructure sectors to act swiftly. The Cyber Centre stands ready to assist. Early action is the best defence to protect your systems and safeguard your information."</p> <p>- Rajiv Gupta, Head of the Canadian Centre for Cyber Security</p> </blockquote> <h2>Background</h2> <p>The Cyber Centre is aware of cyber threat activity against Cisco <abbr title="Adaptive Security Appliance">ASA</abbr> 5500-X Series devices involving the deployment of highly sophisticated malware, targeting global organizations. These types of devices are commonly used by organizations across Canada.</p> <p>Expert teams at the Cyber Centre are actively investigating the vulnerability’s scope and have initiated outreach to support stakeholders and coordinate a unified response.</p> <p>Together, through vigilance and collective action, we can continue to strengthen Canada’s cyber resilience from coast to coast to coast.</p> <p>For more information on vulnerabilities, please visit the Cyber Centre’s <a href="/en/alerts-advisories">Alerts and advisories page</a>.</p> <p>For best practices, please visit the Cyber Centre’s <a href="/en/guidance">Guidance page</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6705" about="/en/guidance/recommended-contract-clauses-cryptography-itsm00501" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.501</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.00.501-recommended-contract-clauses-cryptography.pdf">Recommended Contract Clauses for Cryptography – ITSM.00.501 (PDF, 462 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an <span class="text-uppercase">unclassfied</span>, publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on September 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: September 1, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#overview">Overview</a></li> <li><a href="#introduction">1 Introduction</a> <ul><li><a href="#scope">1.1 Scope</a></li> </ul></li> <li><a href="#cryptographic-considerations">2 Cryptographic considerations</a> <ul><li><a href="#product">2.1 Product considerations</a> <ul><li><a href="#recommended">2.1.1 Recommended cryptographic algorithms</a></li> <li><a href="#cryptographic-agility">2.1.2 Cryptographic agility</a></li> <li><a href="#certification">2.1.3 Cryptographic certification</a></li> </ul></li> </ul><ul><li><a href="#considerations">2.2 Considerations for service providers and cloud services</a> <ul><li><a href="#post-quantum">2.2.1 Post-quantum cryptography</a></li> <li><a href="#configuration">2.2.2 Configuration</a></li> <li><a href="#validated">2.2.3 Using validated cryptographic modules and algorithms</a></li> </ul></li> </ul></li> <li><a href="#terms">3 Terms and conditions</a></li> <li><a href="#conclusion">4 Conclusion</a></li> </ul></details></section><section><h2 class="text-info" id="overview">Overview</h2> <p>As your organization increases the use of cryptography to protect your infrastructure and data, there is a growing need to ensure that your organization purchases products and services that provide effective protection. Whether procuring a single-use product or contracting with a service provider such as a cloud service provider (CSP), your organization must consider certain elements to ensure that the product or service will meet your needs. This publication provides advice and guidance on what to consider when procuring products and services that use cryptography, including example clauses.</p> </section><section><h2 class="text-info" id="introduction">1 Introduction</h2> <p>The guidance in this publication highlights important security considerations for your organization when purchasing products and services that use cryptography. This includes but is not limited to service providers and cloud service providers (CSPs).</p> <p>While vendors may present initial foundational terms and conditions, your organization’s management team is responsible for demonstrating and validating that the terms and conditions and the contract’s supporting security clauses address your organization’s business security needs.</p> <p>The terms and conditions should be adaptable for future modifications to safeguard the interests of your organization. The terms and conditions in the service contract should also provide your organization with the best possible business outcomes. Your organization must initiate proactive measures to ensure service provisions include cyber security mechanisms for identifying, communicating, mitigating and preventing risks.</p> <p>This publication outlines cryptographic considerations that should be factored in alongside the primary functional and legal contracting aspects when working with a vendor.</p> <p>The clauses outlined in this publication should not be considered legal advice. Rather, they offer context for your organization and can help your organization determine considerations and questions to ask when procuring cryptographic products and services.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h2 class="text-info" id="scope">1.1 Scope</h2> <p>The Cyber Centre provides advice and guidance on selecting and using cryptographic algorithms to protect the authenticity, confidentiality and integrity of sensitive information. This publication provides advice and guidance on what to consider when engaging with a vendor to purchase products or services that use cryptography for the protection of <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span> and <span class="text-uppercase">protected B</span> information.</p> <p><strong>Disclaimer:</strong> The Communications Security Establishment Canada (CSE) and its Cyber Centre do not recommend or endorse the use of any particular contracting clause listed in this publication. The example clauses provided are only intended to be a source of examples of contract clauses that may be useful for procuring products and service that use cryptography and are provided for informational purposes only. We recommend seeking legal and procurement advice when using these clauses to ensure that they meet your organization’s requirements.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </section><section><h2 class="text-info" id="cryptographic-considerations">2 Cryptographic considerations</h2> <p>To protect the confidentiality, integrity and authenticity of your organization’s data, you must ensure that all infrastructure effectively uses strong cryptography for both on-premises environments and service provider environments. This includes cloud environments.</p> <p>The following sections present items that should be considered when engaging with vendors. The considerations discuss cryptographic algorithms, modules and parameters to support organizations in following Cyber Centre guidance.</p> <p><a href="#product">Section 2.1 Product considerations</a> outlines considerations to be taken when purchasing products and focuses on the requirements of the products being purchased. <a href="#considerations">Section 2.2 Considerations for service providers and cloud services</a> provides advice and guidance for engaging with service and cloud providers and focuses on how the vendor selects, configures and uses cryptography.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h3 id="product">2.1 Product considerations</h3> <p>This section provides product considerations and example contract clauses to use when purchasing products that support cryptography. The clauses have been developed for products that have built-in cryptographic modules, such as virtual private networks (VPN) and other network appliances that support cryptography natively. These considerations can also be used to develop requirements for generic computing devices that will have software installed after purchase (for example, servers).</p> <p><strong>Note:</strong> The Cyber Centre publication <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a> is updated regularly as advice and guidance changes. Any clauses that are used to procure products and that reference ITSP.40.111 should specify the publication version.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <!– Sub-sub section start –> <div> <h4 id="recommended">2.1.1 Recommended cryptographic algorithms</h4> <p>Contractual clauses should ensure that cryptographic modules use algorithms recommended in ITSP.40.111 that meet your system requirements. Additionally, to avoid extra costs during the migration to post-quantum cryptography (PQC), we recommend that all newly procured cryptographic modules support appropriate PQC algorithms.</p> <p>The following clauses recognize that some vendors do not currently support PQC and that some standards that will use the algorithms may still be under development. By specifying a date by which the vendor must provide PQC capabilities, your organization can purchase from the vendor when needed without waiting for the vendor to have PQC capable products. The vendor will be required to provide upgrades to the cryptographic modules on or before the date specified.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic modules must use only CSE-approved cryptographic algorithms with cryptographic parameter sizes and key lengths as specified in <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a>.</li> <li>By the end of 2026, cryptographic modules implementing key establishment schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> <li>By the end of 2026, cryptographic modules implementing digital signature schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="cryptographic-agility">2.1.2 Cryptographic agility</h4> <p>Using systems that support cryptographic agility enables organizations to reconfigure or upgrade cryptographic technologies as needed. This is important because progress in cryptographic research, vulnerability research and computing can lead to cryptographic deployments with less strength than when they were initially deployed. Products should have the capability to modify parameters, such as key lengths, parameter sizes and key lifetimes, and to select cryptographic algorithms without replacing software or hardware components. This will reduce both the expense and time needed for purchasing new infrastructure. Products must also have the critical ability to securely patch systems that use cryptography to ensure that vulnerabilities are mitigated as they are discovered.</p> <p>For more information on cryptographic agility, read our publication <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a>.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic modules must support cryptographic agility by providing cryptographic algorithms, parameter sizes, key lengths and crypto periods that are configurable.</li> <li>Cryptographic modules must support vendor-signed patches and updates.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="certification">2.1.3 Cryptographic certification</h4> <p>We recommend that all cryptographic modules be validated through the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a>. The CMVP is jointly managed by the Cyber Centre and the National Institute of Standards and Technology (NIST). It ensures that vendors implement cryptography correctly in their products and that they follow Cyber Centre–recommended security best practices. To find validated modules, organizations can search the database of CMVP-validated modules, which is hosted by NIST. Cryptographic algorithms used in the modules should be validated by the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program">Cryptographic Algorithm Validation Program (CAVP)</a>.</p> <p>CMVP certification is specific to the details provided in the security policy available on the product certificate webpage. It is important that products use the cryptographic module according to that security policy. This ensures with a high degree of certainty that the module will provide the expected security services in the expected manner.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic algorithms must be validated by the Cryptographic Algorithm Validation Program (CAVP) with a certificate listed on the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search">CAVP validation list</a>.</li> <li>Cryptographic modules must be validated by the Cryptographic Module Validation Program (CMVP) with an active CMVP certification and a certificate number listed on the <a href="https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules">CMVP-validated modules list</a>.</li> <li>Cryptographic modules must be applied in accordance with the cryptographic module security policy listed on the CMVP-validated modules list, in either an approved or an allowed mode.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> <div> <h3 id="considerations">2.2 Considerations for service providers and cloud services</h3> <p>Organizations that outsource IT infrastructure or software solution management to cloud vendors or service providers must consider the cryptography used to protect the information. This section provides additional cryptographic considerations when contracting a service or cloud provider.</p> <p>Your organization should ensure that contracting requirements obligate the contractor to maintain IT systems that are aligned with current cryptographic guidance. In addition to this publication, the Cyber Centre publication <a href="https://www.cyber.gc.ca/en/guidance/recommended-cyber-security-contract-clauses-cloud-services-itsm50104">Recommended cyber security contract clauses for cloud services (ITSM.50.104)</a> provides general procurement clauses and considerations when acquiring cloud-based solutions or services.</p> <p><strong>Note:</strong> We recommend that contracts with service providers ensure contractors remain current with the latest versions of ITSP.40.111 and our <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>. As such, clauses that reference either ITSP.40.111 or ITSP.40.062 should not reference a specific version or publication date and should require contractors to remain aligned with current Cyber Centre recommendations.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h4 id="post-quantum">2.2.1 Post-quantum cryptography</h4> <p>We recommend that all cryptographic modules support CSE-approved PQC algorithms as soon as they are available. The following clauses allow organizations to procure from service providers as needed, with the understanding that the cryptographic modules must be migrated to support PQC no later than the date specified. This approach provides flexibility to both the purchaser and the vendor while ensuring that the PQC migration is not delayed or more costly than necessary.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>By the end of 2026, cryptographic modules implementing key establishment schemes must support appropriate post-quantum cryptography compliant with <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111</a><a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">)</a>.</li> <li>By the end of 2026, cryptographic modules implementing digital signature schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="configuration">2.2.2 Configuration</h4> <p>Cryptography should be configured to operate according to the advice and guidance provided in the Cyber Centre’s publications ITSP.40.111 and ITSP.40.062. Following the most recent versions of these publications will help to keep your environment secure as cryptographic guidance evolves. Additionally, we recommend that cryptography is configured and operated in an approved or allowed mode found in the CMVP security policy.</p> <p><strong>Example clause structure and language</strong></p> <p>The Contractor must:</p> <ul><li>configure systems to only permit use of cryptography in accordance with CSE-approved cryptographic algorithms and cryptographic parameter sizes, key lengths and key lifetimes, as specified in <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a> and <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li>ensure these policies remain consistent with any subsequent published versions</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="validated">2.2.3 Using validated cryptographic modules and algorithms</h4> <p>Similar to <a href="#certification">Section 2.1.3 Cryptographic certification</a> on procuring products, we recommend that only algorithms and modules that have been validated by CAVP and CMVP be used in cloud and service provider environments, respectively.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic algorithms permitted to operate must be validated by the Cryptographic Algorithm Validation Program (CAVP) with a certificate listed on the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search">CAVP validation list</a>.</li> <li>Cryptographic modules must be validated by the Cryptographic Module Validation Program (CMVP) with an active CMVP certification and a certificate number listed on the <a href="https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules">CMVP-validated modules list</a>.</li> <li>Cryptographic modules must be applied and operated in accordance with the cryptographic module security policy listed on the CMVP-validated modules list, in either an approved or an allowed mode.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </section><section><h2 class="text-info" id="terms">3 Terms and conditions</h2> <p>A vendor or contractor may already have terms and conditions they use when selling their products and services. Many of the clauses recommended in this publication may be covered using different contractual language (for example, referencing NIST publications rather than Cyber Centre publications).</p> <p>In these situations, we recommend that organizations carefully compare the recommended clauses with the ones presented by the vendor, as well as any documents that the vendor references. This will help to ensure that the product or service that your organization purchases will meet your cryptographic requirements. As with all situations, when dealing with legally binding contracts, we recommend seeking legal advice.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="conclusion">4 Conclusion</h2> <p>Cryptography provides an important means to protect your organization’s IT environments, whether in the cloud or managed on premises. However, it is important to ensure that the cryptographic products that these systems use to protect your data are sufficiently strong and secure. Using products that meet the Cyber Centre’s recommendations on cryptography, including validations by CAVP and CMVP, will help provide effective data confidentiality and integrity.</p> <p>This guidance has been provided for general knowledge and guidance for any organization purchasing cryptographic products or using them in their environments. As indicated, this is not legal advice.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6744" about="/en/news-events/threat-detection-sharepoint-vulnerabilities" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-12"> <p>The Canadian Centre for Cyber Security (Cyber Centre) is <strong>actively tracking multiple campaigns exploiting recently disclosed critical vulnerabilities in on-premises Microsoft SharePoint servers</strong>, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. These widespread campaigns leverage an exploit chain known as <strong>ToolShell</strong>.</p> <p>To help defenders combat attacks leveraging these vulnerabilities, the Cyber Centre has compiled a detailed analysis derived from recent investigations. This analysis outlines the <strong>full attack path</strong>, examines the <strong>evolution and use of the ToolShell exploit chain</strong>, and provides an <strong>in-depth characterization of the threat actor’s techniques</strong>, along with critical mitigation and detection guidance.</p> </div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#summary">Executive summary</a></li> <li><a href="#overview">An incident overview</a></li> <li><a href="#analysis">Analysis of the incident</a></li> <li><a href="#indicators">Indicators of compromise and recommendations</a></li> <li><a href="#tools-services">Cyber Centre tools and services</a></li> <li><a href="#acknowledgements">Acknowledgements</a></li> </ul></details></section><section><h2 class="text-info" id="summary">Executive summary</h2> <p>This technical article aims to raise awareness and describe some of the tactics, techniques, and procedures (TTPs) associated with a threat actor seen exploiting the vulnerabilities in on-premises Microsoft SharePoint servers. The Canadian Centre for Cyber Security’s (Cyber Centre) preliminary findings highlight that this threat actor initially exploited a server then used a novel technique with custom .NET payloads to gain and maintain code execution. Subsequent analysis of dozens of custom in-memory payloads provided valuable insight into the extent of the compromise and the threat actor’s intentions and activities.</p> </section><section><h2 class="text-info" id="overview">An incident overview</h2> <p>The events in the timeline below highlight the type of post-exploitation behaviour observed by the Cyber Centre. This incident demonstrates how even well-prepared teams can be affected by issues outside of their control: although the victims in this use case upheld strong security practices and took appropriate precautions, they were impacted by an unforeseeable software defect.</p> <!– Figure 1 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center h5" id="fig1"><strong>Figure 1: Timeline of events associated with SharePoint vulnerabilities</strong></h3> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig1-e.png" /></figure><details><summary>Long description – Timeline of events associated with SharePoint vulnerabilities</summary><ul class="list-unstyled"><li><strong>Day -12:</strong> Initial access using SharePoint CVE, script execution and data exfiltration (until Day -8)</li> <li><strong>Day -8:</strong> SMB lateral movement and lateral movement to IIS servers</li> <li><strong>Day -10:</strong> SMB lateral movement (until Day -2), lateral movement to IIS servers (until Day -2), script executions (until Day -1), and data exfiltration (until Day -1)</li> <li><strong>Day 0:</strong> CVEs published (CVE-2025-53770 and CVE-2025-53771)</li> <li><strong>Day 2:</strong> Patches released</li> <li><strong>Day 9:</strong> Last known actor activity on network</li> </ul></details></div> </section><p>The Cyber Centre confirmed that activities exploiting the SharePoint vulnerabilities were observed as early as Day -12, consistent with the following recent reports:</p> <ul><li><a href="https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/">Disrupting active exploitation of on-premises SharePoint vulnerabilities (Microsoft)</a></li> <li><a href="https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/">Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Palo Alto’s Unit42)</a></li> </ul><p>However, a key indicator of compromise (IoC) shared by Microsoft in its July 19 <a href="https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/">customer guidance for SharePoint vulnerability CVE-2025-53770</a>—the presence of a file called spinstall0.aspx—was not found during the incident in question. This demonstrates that the threat actor initially exploited the server and then used a novel technique with custom .NET payloads to gain and maintain code execution. Therefore, the spinstall0.aspx file (or variations on it) was not observed as part of the attack path, nor was a PowerShell process spawned by Internet Information Services (IIS).</p> <p>Having established an initial foothold in the network, the threat actor moved to an additional server to perform reconnaissance, solidify their access and establish persistence through discovery and lateral movement. To achieve this, they uploaded several different custom .NET payloads directly into the IIS process memory over a period of several hours. These payloads included:</p> <ul><li>a module to intercept requests for legitimate files on the web server based on certain criteria</li> <li>a module to extract cryptographic configuration values to facilitate subsequent exploitation on the web server</li> <li>a module to read and exfiltrate the host’s Security Account Manager (SAM) password database for offline cracking</li> <li>a Server Message Block (SMB) client to perform reconnaissance on the network</li> <li>a filesystem crawler</li> <li>a Lightweight Directory Access Protocol (LDAP) querying tool</li> </ul><p>These payloads were frequently combined with a privilege escalation exploit and an encryption module.</p> <!– Figure 2 –> <section class="panel panel-default col-md-8 col-md-offset-1"><div class="panel-body"> <h3 class="text-center h5" id="fig2"><strong>Figure 2: Attack path depicting how the threat actor gained access and moved through the environment</strong></h3> <figure><img alt="Figure 2 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig2-e.png" /></figure><details><summary>Long description – Attack path depicting how the threat actor gained access and moved through the environment</summary><p>The image illustrates an attack flow starting with an external threat actor exploiting a SharePoint server in the DMZ (Step 1). From the SharePoint server, the attacker collects information and performs privilege escalation (Step 2). The attacker performs account discovery from the domain controller (Step 3). The attacker moves laterally to an IIS server (Step 4). The attacker shows interest in the internal exchange server (Step 5). The attacker moves laterally into the internal network (Step 6).</p> </details></div> </section><div class="clearfix"> </div> <p>The threat actor used Hypertext Transfer Protocol Secure (HTTPS) externally to access compromised servers and exfiltrate data. They used SMB internally to perform reconnaissance and stage a new web shell on a separate IIS web server that was not running SharePoint. The threat actor leveraged compromised network devices to obfuscate their true origin and access the victims’ network from unpredictable IP addresses. This allowed them to blend in with normal traffic and reduced the usefulness of IP-based IoCs for tracking and discovery.</p> <p>From both beachheads, the threat actor proceeded to connect to multiple devices on the internal network and scrape the domain controller and LDAP servers for information.</p> <p>The last known activity on the network by the threat actor occurred on Day 9, with some subsequent reconnaissance activity touching cloud resources using previously compromised credentials. As of this writing, we continue to observe persistent malicious efforts to access both on-prem and cloud infrastructure using these credentials, which have since been rotated.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <!– Section: Analysis of the incident –> <section><h2 class="text-info" id="analysis">Analysis of the incident</h2> <section class="alert alert-info"><p><strong>Disclaimer:</strong> Comments in source code were added as part of reverse-engineering efforts and are not present in the original samples.</p> </section><p>The Cyber Centre analyzed host and network activity by leveraging telemetry from its sensors. The victims also provided snapshots in time of firewall and Hypertext Transfer Protocol (HTTP) access logs, which were crucial in tracing the compromise back to its very beginning. Ultimately, it was the analysis of dozens of custom in-memory payloads that provided the full story.</p> <p>These payloads consisted of dynamic-link libraries (DLL) loaded into memory over a period of several weeks. The Cyber Centre extracted these payloads from running processes on compromised hosts after the common vulnerabilities and exposures (CVEs) were made public and reverse engineered. This provided valuable insight into the extent of the SharePoint compromise and the threat actor’s intent and activities.</p> <h3>MITRE ATT&amp;CK techniques observed during analysis</h3> <p>The information below is based on the attack path outlined in <a href="#fig2">figure 2</a>.</p> <h4 class="text-info">Observation 1</h4> <ul><li>Main techniques <ul><li>Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 2</h4> <ul><li>Main techniques <ul><li>System information discovery (<a href="https://attack.mitre.org/techniques/T1082/">T1082</a>)</li> <li>Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</li> <li>OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>)</li> <li>Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 3</h4> <ul><li>Main techniques <ul><li>Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>)</li> </ul></li> <li>Additional techniques <ul><li>Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 4</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 5</h4> <ul><li>Main techniques <ul><li>Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 6</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Valid accounts: domain accounts (<a href="https://attack.mitre.org/techniques/T1078/002/">T1078.002</a>)</li> <li>Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</li> </ul></li> </ul><p>Further analysis revealed that:</p> <ul><li>the initial exploitation dated back to Day -12, almost 2 weeks earlier than the CVEs’ public disclosure on July 19</li> <li>a significant number of malicious activities followed the preliminary compromise, leveraging more than 50 distinct payloads over a period of several weeks</li> <li>the threat actor had a keen interest in acquiring and exfiltrating documents on accessible file shares and used SMB protocol to access them</li> <li>many payloads were dynamically generated and contained hard-coded values such as server names and paths; some of these included occasional typos, which were fixed in subsequent uploads. These dynamically generated payloads limited the usefulness of hash-based IoCs</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 1 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 1: Initial access (TA0001)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</span></p> <p>The threat actor leveraged vulnerabilities to gain remote code execution (RCE) on an Internet-exposed SharePoint server (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>). Initial access occurred on Day -12, 2 weeks before the public disclosure of vulnerabilities, and was achieved through the exploitation of CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771, an exploit chain also known as ToolShell. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a> on July 20, followed by CVE-2025-49704 and CVE-2025-49706 on July 22.</p> </div> </div> <!–Observed technique 2 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 2: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>The threat actor implemented custom-developed code designed to intercept and manipulate web server requests to legitimate files for tailored processing (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>). This code allowed interactions that facilitated the collection of internal system and network information and enabled the exfiltration of sensitive data from the compromised environment. Meanwhile, the chosen endpoint to stage subsequent activity allowed the threat actor to blend their traffic with normal application traffic. In the figure below, ows.js is a legitimate SharePoint file that the threat actor chose to use in an attempt to blend in and should not be considered an IoC.</p> <!– Figure 3 coding –> <h5 class="text-center" id="fig3"><strong>Figure 3: Sample of web shell request handler</strong></h5> <figure><img alt="Figure 3 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig3-e.png" /></figure><details><summary>Long description – Sample of web shell request handler</summary><p>The image contains a snippet of C# code that defines a method named OnPostAuthenticateRequestCurrent, which acts as a custom HTTP request handler. The method intercepts requests to a specific SharePoint JavaScript file (/_layouts/15/ows.js) and processes a custom header (WWW-Authorization) to potentially execute encrypted commands on the server. The code includes a conditional check to ensure the request is a GET method and that the WWW-Authorization header exists and has a length of at least 5 characters.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 3 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 3: Credential access (TA0006)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>); Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</span></p> <p>The threat actor deployed custom code to gather credentials from the operating system (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>) and secure access to sensitive information located in configuration files available on the web server (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>). Validation and decryption keys for the server were obtained early on, which allowed for subsequent forging of ViewState requests. As per Microsoft guidance, once the keys are compromised, patching alone is not sufficient; attackers can continue to achieve code execution through ViewState deserialization until the keys themselves are rotated and the server is restarted.</p> <!– Figure 4 coding –> <h5 class="text-center" id="fig4"><strong>Figure 4: Sample of exfiltration of cryptographic configuration settings</strong></h5> <figure><img alt="Figure 4 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig4-e.png" /></figure><details><summary>Long description – Sample of exfiltration of cryptographic configuration settings</summary><p>The image shows a C# code snippet that dynamically loads the System.Web assembly and uses reflection to access the MachineKeySection class. It retrieves sensitive configuration details such as validation and decryption keys, as well as compatibility mode, and concatenates them into a string. This information is then added to the HTTP response header under the key "X-TXT-NET," potentially exposing critical security data.</p> </details><div class="clearfix"> </div> <p>The threat actor had also gathered 4 files from the compromised server within a few days of the initial breach (listed in order of occurrence):</p> <ul><li>C:\Windows\System32\config\SAM</li> <li>C:\Windows\System32\config\SYSTEM</li> <li>C:\Windows\System32\config\SECURITY</li> <li>C:\Windows\System32\inetsrv\Config\applicationHost.config</li> </ul><p>This code snippet includes a privilege escalation exploit and a New Technology File System (NTFS) parsing library (NTFSLib) to bypass file locking by leveraging raw disk access. Access to the 4 system resources listed above allows for offline cracking of credentials.</p> <!– Figure 5 –> <h5 class="text-center" id="fig5"><strong>Figure 5: Code snippet used to collect the SYSTEM hive from disk</strong></h5> <figure><img alt="Figure 5 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig5-e.png" /></figure><details><summary>Long description – Code snippet used to collect the SYSTEM hive from disk</summary><p>The image shows a C# code snippet that processes an HTTP request if its content length is not zero. It decodes a Base64-encoded string, splits it into an array using directory separator characters, and extracts a file path. The code then interacts with a custom NTFSWrapper class to access raw disk data and retrieve the parent directory entry of the specified path, potentially indicating malicious or unauthorized file system access.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 4 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 4: Discovery (TA0007)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>); Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</span></p> <p>Over a 2-week period, the domain controller hosting the LDAP service was queried by the threat actor 19 times to collect information on users, service accounts, groups, administrators and user mailboxes.</p> <!– Figure 6 –> <h5 class="text-center" id="fig6"><strong>Figure 6: Sample of LDAP scraping</strong></h5> <figure><img alt="Figure 6 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig6-e.png" /></figure><details><summary>Long description – Sample of LDAP scraping</summary><p>The image shows a C# code snippet that performs an LDAP query on a specified domain to search for directory entries matching a given filter. The results are serialized into JSON format, encrypted using AES with predefined keys, and then encoded in Base64 before being written to the HTTP response. This code appears to facilitate unauthorized access or exfiltration of directory information.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 5 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 5: Collection (TA0009)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>); Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</span></p> <p>The threat actor leveraged their access to gather information related to the local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>) and unsuccessfully attempted to pivot to the internal mail server (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>). The following data collection techniques targeted the filesystem and local storage.</p> <!– Figure 7 –> <h5 class="text-center" id="fig7"><strong>Figure 7: Sample of file collection from the local system</strong></h5> <figure><img alt="Figure 7 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig7-e.png" /></figure><details><summary>Long description – Sample of file collection from the local system</summary><p>The image shows a C# code snippet that appears to enumerate directories and files within a specified path (C:\\users\\) and collects metadata such as last write time, creation time, and file size. The gathered information is processed into a string, encrypted using AES with predefined keys, and potentially sent as part of an HTTP response. This code suggests functionality for unauthorized data collection and exfiltration.</p> </details><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <p>Of note, the actor attempted to pivot to an internal webmail server proxied through the compromised SharePoint server.</p> <!– Figure 8 –> <h5 class="text-center" id="fig8"><strong>Figure 8: Sample of email collection</strong></h5> <figure><img alt="Figure 8 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig8-e.png" /></figure><details><summary>Long description – Sample of email collection</summary><p>The image shows a C# code snippet configuring an HttpClient to send an HTTP POST request to a specified URL with custom headers and form-encoded data, including placeholders for sensitive credentials (REDACTED_USERNAME and REDACTED_PASSWORD). It sets the security protocol to support SSL3 and TLS12, bypasses SSL certificate validation, and includes a user-agent string mimicking a browser.</p> </details></div> </div> <div class="clearfix"> </div> <!–Observed technique 6 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 6: Privilege escalation (TA0004)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</span></p> <p>The threat actor leveraged open-source tools to escalate their privileges and gain access to files and data beyond the reach of the initial compromise (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>). Artifacts of the <strong>PrintNotifyPotato</strong> privilege escalation tool were observed in several payloads. These allowed the threat actor access to otherwise restricted files. This technique was leveraged in multiple samples, with portions of code and strings directly matching the GitHub project source code.</p> <!– Figure 9 –> <h5 class="text-center" id="fig9"><strong>Figure 9: Sample of PrintNotifyPotato privilege escalation</strong></h5> <figure><img alt="Figure 9 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig9-e.png" /></figure><details><summary>Long description – Sample of PrintNotifyPotato privilege escalation</summary><p>The image shows a C# code snippet that performs token duplication and thread impersonation using native methods to elevate privileges. It duplicates a SYSTEM token, impersonates it on the current thread, and calls a function (F()) that appears to access sensitive data, such as the Security Account Manager (SAM) file. The code includes error handling and writes diagnostic messages to the HTTP response, indicating potential misuse for privilege escalation and data exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 7 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 7: Lateral movement (TA0008)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>); Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</span></p> <p>The threat actor performed reconnaissance and moved laterally in the environment by leveraging SMB connectivity (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>). Interestingly, they leveraged both a custom SMB client loaded inside a .NET module as well as the system’s own SMB client while they were active on the network. In addition, unsuccessful attempts to perform Remote Desktop Protocol (RDP) connections further into the network were observed from compromised servers.</p> <!– Figure 10 –> <h5 class="text-center" id="fig10"><strong>Figure 10: Sample of SMB client</strong></h5> <figure><img alt="Figure 10 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig10-e.png" /></figure><details><summary>Long description – Sample of SMB client</summary><p>The image shows a C# code snippet that processes HTTP input to extract user credentials (user, address, and password) and attempts to establish an SMB connection using these details. If the connection succeeds, it serializes and encodes the list of shared resources; otherwise, it encodes a "connection failed" message. The SMB client instance is stored in the application context, suggesting potential misuse for unauthorized access or credential harvesting.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h4>SMB commands implemented by the sample</h4> <p>In the sample above, we observed the following SMB commands and associated behaviours:</p> <ul><li><strong>cn:</strong> establishes an SMB connection using a username, password, and IP address specified in the request. It saves the SMB connection to HttpApplication.Application["817FE0AC534D44E49"]</li> <li><strong>li:</strong> lists files in the connected SMB resource</li> <li><strong>re:</strong> reads a file from the connected SMB resource</li> <li><strong>we:</strong> writes, appends or creates a file on the connected SMB resource</li> <li><strong>de:</strong> deletes a file on the connected SMB resource</li> <li><strong>di:</strong> disconnects and cleans up the SMB client</li> </ul><p>The use of a bespoke SMB client inside .NET payloads enabled further detection opportunities by looking for outgoing connections over port 445 from the IIS server process, as opposed to the normal pattern of SMB connections originating from the Windows kernel.</p> <!–Observed technique 8 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 8: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>After gaining a foothold in the network, the threat actor pivoted to an additional Internet-exposed IIS server (not SharePoint) within a matter of days, using the lateral movement techniques previously mentioned. This helped them establish a back-up persistent access point into the network (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>), solidifying their presence, after which they remained dormant for almost 2 weeks.</p> <p>The compromise of a non-SharePoint server emphasizes the need to look beyond initial <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> for signs of lateral movement once an initial compromise is detected.</p> <p>The threat actor returned briefly on Day 9 by leveraging the above-mentioned access. However, because of the Cyber Centre’s improved understanding of the actor’s <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr>, alongside newly deployed capabilities, this new activity was quickly detected and stopped.</p> <!– Figure 11 –> <h5 class="text-center" id="fig11"><strong>Figure 11: Sample of additional web shell path</strong></h5> <figure><img alt="Figure 11 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig11-v2-e.png" /></figure><details><summary>Long description – Sample of additional web shell path</summary><p>The image shows a C# code snippet implementing an HTTP request handler that intercepts POST requests to a specific SharePoint path (/_layouts/15/start.aspx). It processes a Base64-encoded __EVENTVALIDATION parameter, decrypts it using DES, and parses the resulting data to handle specific modes, such as "Get." The code includes functionality for compressing and encoding data, suggesting potential misuse for unauthorized data manipulation or exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 9 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 9: Resource development (TA0042)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</span></p> <p>Indicators suggest that exploitation and exfiltration activities originated from several compromised network devices, including some with close geographical proximity to the target network. For example, the IP address used for the initial exploitation was not the same one subsequently used for ongoing collection and access development. This flexible choice of source IPs allowed the threat actor to blend in with normal traffic and reduced the usefulness of typical IP-based IoCs for tracking, discovery and blocking.</p> </div> </div> <!–Observed technique 10 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 10: Exfiltration (TA0010)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</span></p> <p>The Cyber Centre observed several obfuscation techniques in use during the exfiltration phase related to executing payloads embedded in web server requests. The most commonly observed technique was encrypting the result using a symmetric key (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>), encoding that result using Base64, and then returning the Base64-encoded buffer as part of the HTTP response from the web server. This encryption is encapsulated inside the regular Transport Layer Security (TLS) connections observed on normal port 443 traffic for the application.</p> </div> </div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Indicators of compromise and recommendations –> <section><h2 class="text-info" id="indicators">Indicators of compromise and recommendations</h2> <p>IoCs were distributed via the Cyber Centre’s automated threat intelligence sharing platform (AVENTAIL) and through alerts and communications by the Canadian Cyber Security Incident Response Team (CSIRT). This ensured that partners across all sectors had the information they needed to act decisively.</p> <p>For up-to-date information on alerts, advisories and guidance relating to the SharePoint vulnerabilities, please refer to the Cyber Centre alert <a href="https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770">Vulnerability Impacting Microsoft SharePoint Server (CVE-2025-53770)</a>.</p> </section><!– Cyber Centre tools and services –><section><h2 class="text-info" id="tools-services">Cyber Centre tools and services</h2> <p>No single tool, service or turnkey solution can reconstruct an incident, trace an attacker’s path or validate a threat on its own. A holistic approach using multiple perspectives is required to conduct a thorough investigation. As such, the Cyber Centre relies on multiple layered telemetry sources to detect threats and protect monitored assets.</p> <p>Active scanning tools helped identify Internet-exposed high-priority servers. <a href="https://www.cyber.gc.ca/en/tools-services/assemblyline">AssemblyLine</a> was used to enable triage at scale, processing hundreds of thousands of files per day. The Cyber Centre made enhancements to its <a href="https://github.com/cybercentrecanada/assemblyline-service-dotnet-decompiler">DotnetDecompiler Service</a> to automate the decompilation of .NET executables. This is now available in the Cyber Centre’s open-source repository, allowing the broader cyber security community the benefit of the same advanced capabilities.</p> <p>In response to this incident, the Cyber Centre also created YARA rules to help with the detection of malicious files related to the threat actor’s activity. Additional YARA rules will be released periodically after an evaluation period to ensure accuracy.</p> <p>The sample YARA rule below implements a detection for the LDAP scraping activity found in payloads extracted from the compromised server.</p> <!– Figure 12 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center" id="fig12"><strong>Figure 12: YARA rule for LDAP data collection detection</strong></h3> <figure><img alt="Figure 12 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig12-e.png" /></figure><details><summary>Long description – YARA rule for LDAP data collection detection</summary><p>The image shows a YARA rule named WIN_LDAPQuery designed to detect DLL files performing LDAP queries. It includes metadata such as the rule’s purpose, category, and reference to a SharePoint vulnerability advisory. The rule identifies suspicious behaviour by matching specific strings related to LDAP operations, encryption, and token handling, combined with conditions targeting file size and string occurrences.</p> <pre class="prettyprint"> <span class="wb-inv">Code</span> rule win_ldapquery { meta: id = "1vOyulv5H6pIcnCKCQJxyB" fingerprint = "69d05a0633335c9c8c739d33e2af3b9f4be01369d4ccefb83e55d2fe094b0a87" version = "1.0" modified = "2025-08-27" status = "RELEASED" sharing = "TLP:CLEAR" source = "CCCS" author = "reveng@CCCS" description = "Detect a DLL that is performing a LDAP query." category = "MALWARE" malware = "ldapquery" malware_type = "INFOSTEALER" malware_type = "HACKTOOL" report = "TA25-0056" report = "TA25-0057" reference = "https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770" strings: // Detection of classes and function names (latest version). $a1 = "LDir" ascii $a2 = "Explore" ascii $a3 = "Internals" ascii $a4 = "EncryptAes" ascii $a5 = "DecryptAes" ascii $a6 = "Set Token Error" wide $a7 = "AdsDateValue" ascii $a8 = "FindHandle" ascii // Detection of function names (oldest version). $x1 = "JavaScriptSerializer" ascii $x2 = "Serialize" ascii $x3 = "EncryptAes" ascii $x4 = "DecryptAes" ascii $x5 = "DirectorySearcher" ascii // Product and assembly version. $b1 = "0.0.0.0" wide // Guid for Internet Explorer (IE) COM object and strings for writing the HTTP response. $c1 = "9068270B-0939-11D1-8BE1-00C04FD8D503" ascii $c2 = "HttpResponse" ascii $c3 = "HttpContext" ascii $c4 = "ToBase64String" ascii $c5 = "GZipStream" ascii $c6 = "CreateEncryptor" ascii // Dynamic libraries with extern functions for security token escalation. $d1 = "advapi32.dll" ascii $d2 = "ntdll.dll" ascii $d3 = "kernel32.dll" ascii $d4 = "NtQuerySystemInformation" ascii $d5 = "OpenProcessToken" ascii $d6 = "GetTokenInformation" ascii $d7 = "SetThreadToken" ascii $d8 = "GetCurrentThreadToken" ascii $d9 = "Administrator" wide $d10 = "IUSR" wide // LDAP related strings. $e1 = "LDAP://" wide $e2 = "samaccountname=" wide nocase $e3 = "cn=" wide nocase $e4 = "msexchrecipienttypedetails=" wide $e5 = "userprincipalname=" wide $e6 = "mail=" wide condition: uint16(0) == 0x5A4D and ( (5 of ($a*) and 4 of ($d*)) or all of ($x*) ) and $b1 and 4 of ($c*) and 2 of ($e*) and filesize &lt; 2MB } </pre> </details></div> </section></section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Cyber Centre tools and services –> <section><h2 class="text-info" id="acknowledgements">Acknowledgments</h2> <p>As a part of the Communications Security Establishment Canada (CSE), the Cyber Centre is a proud member of the Five Eyes, the world’s longest-standing and closest intelligence-sharing alliance. Sharing IoCs and <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> with the cyber community and Five Eyes partners has been instrumental since the SharePoint vulnerabilities were first discovered, and ongoing analytical exchanges have maximized the value of collected data.</p> <p>Further collaboration with organizations such as the Microsoft Threat Intelligence Center (MSTIC) and Palo Alto’s Unit42 has enabled the exchange of detailed malware analysis and technical findings, strengthening collective defences.</p> </section><section class="alert alert-info"><p><strong>Disclaimer:</strong> The Cyber Centre disclaims all liability for any loss, damage, or costs arising from the use of or reliance on the information within this article. Readers are solely responsible for verifying the accuracy and applicability of any information before acting on it.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="3435" about="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.102</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Awareness series</strong></p> </div> </div> <p>Cyber security hygiene refers to the best practices your organization can take to maintain the overall health and security of your <abbr title="information technology">IT</abbr> environment. Your cyber security hygiene helps you better defend your networks, systems and data from threat actors.</p> <p>Threat actors, even in more sophisticated attacks, leverage common vulnerabilities and weaknesses to attack systems and gain initial access. By building a solid cyber security foundation, your organization is better positioned to protect, defend and recover from cyber incidents.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#checklist">Cyber security hygiene checklist</a> <ul><li><a href="#network">Network and endpoint protection</a></li> <li><a href="#system">System protection</a></li> <li><a href="#education">User education and additional protective measures</a></li> </ul></li> </ul><h2 class="text-info" id="checklist">Cyber security hygiene checklist</h2> <p>The following checklist provides actions your organization can take to strengthen your cyber security.</p> <p>While not all actions may be feasible, you should prioritize implementing those that are most impactful and sustainable for your organization. Doing so will enhance your cyber security posture.</p> <h3 id="network">Network and endpoint protection</h3> <ul><li>Protect your network and endpoints with the following tools <ul><li>anti-virus and anti-malware software</li> <li>network protocol inspection tools</li> <li>endpoint detection and response</li> <li>firewalls</li> <li>wireless intrusion detection and prevention systems</li> <li>mobile endpoint threat management solutions and mobile threat defence products</li> </ul></li> <li>Segment your networks to stop traffic from flowing to sensitive or restricted zones</li> <li>Implement a security information and event management system to enable real-time, continuous monitoring to identify anomalies in your <ul><li>network traffic</li> <li>wireless access points</li> <li>mobile device gateways</li> </ul></li> <li>Monitor your security critical components, including the <ul><li>Domain Name System (DNS) server</li> <li>authentication server</li> <li>public key infrastructure</li> </ul></li> <li>Implement protective <abbr title="Domain Name System">DNS</abbr> to prevent users from inadvertently visiting potentially malicious domains on the Internet</li> <li>Regularly renew cryptographic keys to maintain secure communications</li> <li>Document secure baseline configurations for all your <abbr title="information technology">IT</abbr>, operational technology components and cloud infrastructure</li> <li>Establish and maintain a configuration management database</li> <li>Conduct and maintain an inventory of your <abbr title="information technology">IT</abbr> assets</li> <li>Manage and detect unauthorized assets by developing and maintaining <abbr title="information technology">IT</abbr> asset management procedures that ensure proper tagging and labelling of hardware and software assets</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/using-security-information-event-management-tools-manage-cyber-security-risks-itsm80024">Using security information and event management tools to manage cyber security risks (ITSM.80.024)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain Name System (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="/en/guidance/protective-domain-name-system-itsap40019">Protective Domain Name System (ITSAP.40.019)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="system">System protection</h3> <ul><li>Enable automatic updates and patches for your firmware, hardware, software and operating systems, especially for Internet-exposed services and systems</li> <li>Patch operating systems and applications promptly after assessing organizational risk and confirming compatibility with your environment</li> <li>Enforce phishing-resistant multi-factor authentication (MFA) for all accounts and systems, especially those with administrative privileges</li> <li>Encourage the use of strong, unique, and confidential passphrases or passwords where <abbr title="multi-factor authentication">MFA</abbr> is not technically feasible</li> <li>Ensure administrators use dedicated workstations that do not allow web browsing or email access</li> <li>Regularly review and update user privileges, such as <ul><li>remove users no longer in your organization</li> <li>edit user privileges if users no longer require access to certain data or systems</li> <li>limit administrative privileges to a small number of users</li> <li>require two-person integrity for administrative privileges</li> <li>conduct administrative functions from a dedicated administrative workstation</li> </ul></li> <li>Apply the principle of least privilege, ensuring users only have the set of privileges that are essential to performing authorized tasks</li> <li>Consider role-based access control</li> <li>Manage mobile devices with unified endpoint management software</li> <li>Implement application allow lists to control what applications and components are allowed on your networks and systems</li> <li>Assess third-party applications to identify and disable unnecessary components or functions or require human intervention before activation (for example, macros)</li> <li>Disable autorun or autoplay on all your operating systems and web browsers to avoid automatic installations of unauthorized software</li> <li>Establish an incident response plan and conduct annual tests to ensure timely restoration of critical functions and effective recovery</li> <li>Categorize your assets to identify those that are most critical to your organization’s operations</li> <li>Regularly backup critical data and systems to offline storage, ensuring backups are isolated from network connections</li> <li>Test your backups periodically to ensure data and systems can be recovered quickly and successfully</li> <li>Proactively manage device lifecycles to address vulnerabilities in end-of-life or end-of-service-life devices, which often remain unpatched and increase security risks</li> </ul><h4>Read more </h4> <ul><li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 <abbr title="information technology">IT</abbr> security action items: No. 2 patch operating systems and applications (ITSM.10.096) </a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-no3-managing-controlling-administrative-privileges-itsm10094">Top 10 <abbr title="information technology">IT</abbr> security actions: No. 3 managing and controlling administrative privileges (ITSM.10.094)</a></li> <li><a href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002) </a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095) </a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002) </a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="education">User education and additional protective measures</h3> <ul><li>Provide ongoing, tailored cyber security training to ensure your employees know how to respond to suspicious links or emails</li> <li>Provide privacy awareness training to your employees to reduce the risk of privacy breaches</li> <li>Identify and subscribe to relevant security information sources or alert services to stay informed about threats that could impact your organization</li> <li>Develop an internal and external contact list of key stakeholders to alert during cyber threat events</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 <abbr title="information technology">IT</abbr> security actions to protect Internet-connected networks and information (ITSM.10.089) </a></li> <li><a href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="682" about="/en/guidance/virtualizing-your-infrastructure-itsap70011" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.011</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"><!–<div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber/publications/itsap70011.pdf">Virtualizing your infrastructure (ITSAP.70.011) (PDF,&nbsp;807&nbsp;KB)</a></p> </div>–> <p>Virtualization is a method of hardware abstraction that allows the creation of software versions of <abbr title="information technology">IT</abbr> systems and services which are traditionally implemented on separate physical hardware. These software versions, or virtual instances, can dramatically increase efficiency and decrease costs. Virtualization uses hardware to its full capacity by distributing its capabilities among many different services.</p> <p>Before implementing virtualization within your organization, you should understand the associated risks and ensure you protect your network, systems and information. This guidance covers the basics virtualization, how your organization can benefit from it and the potential risks involved.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#virtualization">How virtualization works</a></li> <li><a href="#what-can-virtualization">What virtualization can do for your organization</a></li> <li><a href="#types-of-virtualization">Types of virtualization</a></li> <li><a href="#benefits-of-virtualization">Benefits of virtualization</a></li> <li><a href="#risks-virtualization">Risks of virtualization</a></li> <li><a href="#hypervisor-vendor">What to consider when selecting a hypervisor vendor</a></li> <li><a href="#mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="text-primary text-info" id="virtualization">How does virtualization work?</h2> <p>To run your systems and services virtually there are 3 main components.</p> <h3>Virtual machine</h3> <p>With virtualization, you can run your applications on fewer physical servers. Applications and software run virtually on a simulated computer system called a virtual machine (VM). The <abbr title="virtual machine">VM</abbr> has all the features of a computer server, without needing the physical hardware attached. A hypervisor supports the <abbr title="virtual machine">VM</abbr>.</p> <h3>Hypervisor</h3> <p>The hypervisor provides the layer of abstraction between the underlying hardware and hosted virtual machines. An abstraction layer can hide or show as much detail about your system as you want. The hypervisor allocates resources, such as centralized processing unit access, storage and memory, to multiple <abbr title="virtual machine">VM</abbr>s. This allows them to run concurrently on the same underlying hardware as though they each had their own dedicated hardware.</p> <p>The use of hypervisor technology may allow for quicker builds and snapshots of <abbr title="virtual machine">VM</abbr> images. The administration of the hypervisor should be done using a dedicated administrator workstation (DAW). <abbr title="dedicated administrator workstation">DAW</abbr>s are limited-use workstations that can only be used by those who have privileged access to perform administrative tasks. They are meant to increase the security of your network.</p> <p>There are 2 types of hypervisors:</p> <ul><li>bare-metal hypervisor (also known as Type 1), which runs directly on physical hardware</li> <li>hosted (also known as Type 2), which runs as an application on a host operating system</li> </ul><p>Hypervisor technologies may also provide additional functionality or features such as the use of <abbr title="virtual machine">VM</abbr> snapshots and backups, virtual networking capabilities between <abbr title="virtual machine">VM</abbr>s, <abbr title="virtual machine">VM</abbr> monitoring and more. Note, that the use of a hypervisor may incur additional overhead.</p> <h3>Hardware servers</h3> <p>A single hardware server may support multiple <abbr title="virtual machine">VM</abbr>s. Without virtualization, idle applications have resources that are unused, for example:</p> <ul><li>processing power</li> <li>RAM</li> <li>storage</li> </ul><p>With virtualization, hardware servers can be used at full capacity to offer the hypervisor all the resources necessary to support the <abbr title="virtual machine">VM</abbr>s.</p> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 1: Hardware server supporting a virtual machine</strong></figcaption><img alt="Hardware server supporting a virtual machine" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap-70011-virtualizing-your-infrastructure-v2-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 1: Hardware server supporting a virtual machine </summary><p>The figure 1, shows how the hardware server supports the hypervisor and the virtual machine. The image shows 3 components, from left to right, the hardware server connects to the hypervisor and then to the virtual machine(s).</p> </details></figure></div> </div> <h2 class="text-primary text-info" id="what-can-virtualization">What virtualization can do for your organization</h2> <p>Using virtualization, your organization can advance the performance of its infrastructure in the following ways:</p> <ul><li>run multiple operating systems on one physical machine</li> <li>divide system resources between <abbr title="virtual machine">VM</abbr>s, also known as load balancing</li> <li>gain advanced resource controls</li> <li>create virtualized security appliances, such as a firewall</li> <li>easily move, copy and save <abbr title="virtual machine">VM</abbr>s to other files and systems</li> <li>run virtual desktop infrastructure in-office and remotely</li> </ul><h2 class="text-primary text-info" id="types-of-virtualization">Types of virtualization</h2> <p>Virtualization can be used to perform several different functions for different needs. Your organization may choose to use all or some of the following types of virtualization.</p> <h3>Server</h3> <p>A physical server is divided up into multiple virtual servers. Each virtual server can run its own operating system. This is effective for deploying <abbr title="information technology">IT</abbr> services within an organization.</p> <h3>Desktop</h3> <p>A workstation is virtualized so that users can access it from anywhere. This includes accessing your organization’s network from a smart device and working remotely. To learn more about workstation virtualization, read our guidance on <a href="https://www.cyber.gc.ca/en/guidance/using-virtual-desktop-home-and-office-itsap70111">using virtual desktop at-home and in-office (ITSAP.70.111)</a>.</p> <h3>Storage</h3> <p>All your physical data storage units are combined to create a large, virtualized unit. This streamlines storage capabilities and creates a central storage console.</p> <h3>Network</h3> <p>A hardware-based network is transformed into a software-based network. This consolidates all the network resources and simplifies administrative control.</p> <h3>Application</h3> <p>Computer programs can run on various operating systems (OS). An application is installed on an underlying <abbr title="Operating System">OS</abbr>, but through virtualization can be accessed and executed on others, such as running a Microsoft application on a Linux <abbr title="Operating System">OS</abbr>. This requires a virtualization layer to be inserted between the <abbr title="Operating System">OS</abbr> and the app.</p> <h3>Cloud computing</h3> <p>While virtualization is closely related to cloud computing, they are not the same concept. However, cloud computing utilizes virtualization to support many of its functions. To learn more about cloud computing, read our guidance <a href="https://www.cyber.gc.ca/en/guidance/thinking-moving-cloud-heres-how-do-it-securely">Thinking of moving to the cloud? Here’s how to do it securely</a>.</p> <h2 class="text-primary text-info" id="benefits-of-virtualization">Benefits of virtualization</h2> <p>Virtualization and the use of <abbr title="virtual machine">VM</abbr>s have several benefits. These examples are not inherent capabilities of virtualization but may be achieved depending on how you use it:</p> <ul><li>lowers costs for high performance <abbr title="information technology">IT</abbr> services</li> <li>increases <abbr title="information technology">IT</abbr> productivity, efficiency and responsiveness</li> <li>accelerates the installation of applications and implementations of resources</li> <li>minimizes network downtime</li> <li>decreases disaster recovery time</li> <li>simplifies data centre management</li> <li>segregates applications and data to enhance security and reliability</li> <li>creates environments to safely test applications</li> </ul><h2 class="text-primary text-info" id="risks-virtualization">Risks of virtualization</h2> <p>Your organization can introduce security vulnerabilities if you do not properly configure or secure virtualization technology. Risks may include the following:</p> <ul><li>vulnerabilities can be introduced by obsolete and unpatched servers (known as <abbr title="virtual machine">VM</abbr> sprawl)</li> <li>sensitive data can be compromised by moving <abbr title="virtual machine">VM</abbr>s</li> <li>entry points, like external access to the device, can be exploited when a <abbr title="virtual machine">VM</abbr> is offline and dormant</li> <li>hardware can be compromised by malware that spreads from <abbr title="virtual machine">VM</abbr>s or hypervisors, such as <abbr title="virtual machine">VM</abbr> escape</li> <li>unauthorized access may be permitted due to virtual separation not offering the required isolation for security baselines, such as privileged access</li> <li>control and visibility can be lost within the virtual environments or networks if traditional security devices are used</li> <li>resources can be exhausted if a hypervisor is compromised or if unauthorized changes are made to configurations</li> <li>protection for each <abbr title="virtual machine">VM</abbr> is more time consuming as each <abbr title="virtual machine">VM</abbr> as <ul><li>each <abbr title="virtual machine">VM</abbr> requires unique considerations and configurations</li> <li>each <abbr title="virtual machine">VM</abbr> runs individually from the core structure</li> </ul></li> <li>denial of service attack that affects one <abbr title="virtual machine">VM</abbr> can affect all connected <abbr title="virtual machine">VM</abbr>s unless quickly isolated</li> </ul><h2 class="text-primary text-info" id="hypervisor-vendor">What to consider when selecting a hypervisor vendor</h2> <p>You should choose a hypervisor vendor that can support your organization’s security requirements. Before selecting a vendor, consider the following factors to help support your decision:</p> <ul><li>whether the data is encrypted when it is in transit and at rest</li> <li>the security controls that the vendor has in place to protect sensitive data</li> <li>whether the vendor uses bare-metal or hosted hypervisors</li> <li>whether the vendor has monitoring and auditing capabilities</li> <li>who has access to the data on the server</li> <li>how administrative privileges are controlled</li> <li>whether the vendor gives advice and guidance on configuring, deploying, and hardening the virtualized environment</li> </ul><h2 class="text-primary text-info" id="mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</h2> <p>Your organization can mitigate some of the risks associated with implementing virtual technology by taking the following 15 actions:</p> <ul><li>Select a trustworthy and reliable vendor</li> <li>Update and patch servers frequently</li> <li>Have your <abbr title="information technology">IT</abbr> team separate the different areas of your virtualized environment (e.g. public, storage, management) into network zones for better control</li> <li>Store highly sensitive data on separate physical servers</li> <li>Test high-risk applications in isolated environments</li> <li>Apply the principle of least privilege to ensure users only have enough privilege to carry out their job functions</li> <li>Use separation of duties to break down processes or tasks into a series of steps to reduce the likelihood of mistakes or malicious activity</li> <li>Implement multi-factor authentication for all accounts</li> <li>Train employees on cyber security best practices and provide role-based training</li> <li>Back up your data regularly</li> <li>Use a security information and even management approach to business operations to streamline the security of assets</li> <li>Install antivirus and intrusion detection or prevention systems on your infrastructure to keep all <abbr title="virtual machine">VM</abbr>s secure</li> <li>Manage your assets take stock of all infrastructure being used and regularly audit and remove unused <abbr title="virtual machine">VM</abbr>s</li> <li>Encrypt network traffic and hard drives anywhere sensitive data is stored to protect data in transit and at rest</li> <li>Develop and test an incident response plan</li> </ul><p>We strongly recommend using bare-metal hypervisors where possible for your organization’s virtualized environments. Bare-metal hypervisors have fewer layers and typically allow for more efficient use of hardware and additional functionality and capabilities compared to hosted hypervisors.</p> <h2 class="text-primary text-info" id="learn-more">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data-centre-virtualization">Cyber Centre data centre virtualization report: Best practices for data centre virtualization (ITSP.70.010)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/isolating-web-facing-applications-itsap10099">Isolating web-facing applications (ITSAP.10.099)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security actions items: No.2 patch operating systems and applications (ITSM.10.096)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-information-enterprise-level-itsap10097">Protect information at the enterprise level (ITSAP.10.097)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6751" about="/en/guidance/universal-plug-play-itsap00008" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.008</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Awareness series</strong></p> </div> <p>Universal plug and play (UPnP) is a protocol that allows devices on the same network to automatically discover, connect to and interact with one another. Common examples of devices that use <abbr title="universal plug and play">UPnP</abbr> include:</p> <ul><li>mobile devices</li> <li>smart devices (for example, speakers, televisions and cameras)</li> <li>computers</li> <li>gaming systems</li> <li>printers</li> <li>Wi-Fi devices</li> <li>routers</li> </ul><p>While <abbr title="universal plug and play">UPnP</abbr> services can be convenient for automating device connectivity, it can expose you to several security risks. We therefore recommend disabling <abbr title="universal plug and play">UPnP</abbr>, especially on perimeter devices such as home routers that manage firewalls, switches and Wi-Fi access points for other connected devices. Before you disable <abbr title="universal plug and play">UPnP</abbr>, check what level of security your devices need, since some require the service to work properly.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#use">How universal plug and play is used</a></li> <li><a href="#risks">Related risks</a></li> <li><a href="#secure">How to secure your devices</a></li> <li><a href="#disable">How to disable <abbr title="universal plug and play">UPnP</abbr> on a home router</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="use">How universal plug and play is used</h2> <p><abbr title="universal plug and play">UPnP</abbr> is used to connect devices seamlessly within a local network. It allows you to automatically connect smart devices, gaming consoles and computers, media streaming devices and remote device control. <abbr title="universal plug and play">UPnP</abbr> allows compatible devices to interact and work together within a related network for versatility and convenience. Here are some examples of how <abbr title="universal plug and play">UPnP</abbr> is commonly used.</p> <h3>Smart devices</h3> <p>Smart devices use <abbr title="universal plug and play">UPnP</abbr> to communicate with each other, allowing them to automatically adjust settings or change their environment based on the actions of other devices. For example, smart lighting that changes colour or brightness in response to temperature changes detected by a connected smart thermostat.</p> <h3>Gaming consoles and computers</h3> <p>Gaming consoles can discover and connect with each other to join multiplayer sessions and share game content in real time.</p> <h3>Media streaming</h3> <p>Devices that support media streaming can share and stream videos, music and photos among other <abbr title="universal plug and play">UPnP</abbr>-enabled devices.</p> <h3>Remote access</h3> <p>You can use remote device control from a smartphone or computer to control actions or settings on <abbr title="universal plug and play">UPnP</abbr>-supported devices. For example, <abbr title="universal plug and play">UPnP</abbr> can be used to remotely lock or unlock a smart lock to your house.</p> <h2 class="text-info" id="risks">Related risks</h2> <p>While <abbr title="universal plug and play">UPnP</abbr>-enabled devices are convenient, they also introduce potential security risks because they often operate with minimal authentication or access controls. As a result, devices and networks using <abbr title="universal plug and play">UPnP</abbr> may be exposed to several common threats that can compromise security and privacy.</p> <h3>Malware</h3> <p>Threat actors can compromise <abbr title="universal plug and play">UPnP</abbr>-enabled devices with malware. For example, they may use distributed denial-of-service (DDoS) attacks to configure <abbr title="universal plug and play">UPnP</abbr> devices to be accessible and ready to receive and send data.</p> <h3>Unauthorized access</h3> <p>Any <abbr title="universal plug and play">UPnP</abbr> devices connected to a common network can be compromised by someone who gains access to that network. This could be a threat actor exploiting a device connected to the network or a local user accessing a connected device (for example, an insider threat).</p> <p>The two main ways devices using <abbr title="universal plug and play">UPnP</abbr> on a network can be compromised include:</p> <ul><li>external threats: attackers who gain unauthorized access to your network (for example, by exploiting a vulnerable device) can target <abbr title="universal plug and play">UPnP</abbr>-enabled devices to manipulate device settings, intercept communications, or install malware</li> <li>insider threats: individuals with legitimate access to the local network that tamper with or misuse <abbr title="universal plug and play">UPnP</abbr>-connected devices, including reconfiguring devices, accessing sensitive data or intentionally weakening network security</li> </ul><h3>Network configuration</h3> <p><abbr title="universal plug and play">UPnP</abbr> offers control of network configuration settings, such as port forwarding, which threat actors can leverage to bypass firewalls, change access lists, or modify security measures. This makes it difficult to detect and block malicious traffic. Threat actors can also use a <abbr title="universal plug and play">UPnP</abbr>-connected device to manipulate network configuration to expose router web administration details, redirect traffic to malicious external servers, modify credentials and control internal connections and device activities.</p> <h3>Data sharing</h3> <p>Connected <abbr title="universal plug and play">UPnP</abbr> devices share data that allows them to interact with each other and to action certain activities. This can pose a privacy risk if devices that handle sensitive information connect and share data with other devices on the network.</p> <h2 class="text-info" id="secure">How to secure your devices</h2> <p>The most effective way to protect against <abbr title="universal plug and play">UPnP</abbr>-related attacks is to disable the service entirely. If disabling <abbr title="universal plug and play">UPnP</abbr> is not an option, you can reduce vulnerabilities to your network by:</p> <ul><li>restricting <abbr title="universal plug and play">UPnP</abbr> access by creating a virtual local area network (VLAN) or a separate network zone to isolate <abbr title="universal plug and play">UPnP</abbr>-enabled devices from other devices on your network</li> <li>updating devices regularly and enabling automatic updates where available to further mitigate the risk of threat actors taking control of your devices and leveraging <abbr title="universal plug and play">UPnP</abbr> protocols maliciously</li> <li>logging and regularly monitoring device activity for any irregularities and potential threats</li> <li>regularly reviewing security settings and port-forwarding rules on your router and any other networking devices you own</li> <li>keeping up to date with new and emerging technologies and threats by reading Cyber Centre resources and publications</li> <li>training employees on and spreading awareness of cyber security best practices to identify, understand and manage potential threats to your systems</li> <li>using Canadian Internet Registry Authority (CIRA) tools and services to strengthen security if your router needs to be <abbr title="universal plug and play">UPnP</abbr>-enabled</li> </ul><h2 class="text-info" id="disable">How to disable universal plug and play on a home router</h2> <p>The steps to disable <abbr title="universal plug and play">UPnP</abbr> on your home router will vary depending on the make and model of the router, but generally, you should follow these 3 steps:</p> <ol><li>Log into your router’s administrative or configuration webpage</li> <li>Select the <abbr title="universal plug and play">UPnP</abbr> settings that are often found under the "advanced" or the "<abbr title="Network Address Translation">NAT</abbr> forwarding" configuration options</li> <li>Choose the option to "disable <abbr title="universal plug and play">UPnP</abbr>"</li> </ol><p>If you choose not to disable <abbr title="universal plug and play">UPnP</abbr> on your home router, you can block ports associated with <abbr title="universal plug and play">UPnP</abbr> at the Internet gateway. This helps prevent unauthorized external devices from accessing internal devices using <abbr title="universal plug and play">UPnP</abbr>.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/how-your-smart-device-listening-you-itsap70013">Security considerations for voice-activated digital assistants (ITSAP.70.013</a>)</li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085)</a></li> <li><a href="/en/guidance/internet-things-iot-security-itsap00012">Internet of Things (IoT) security (ITSAP.00.012)</a></li> <li><a href="/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial of service attacks – prevention and preparation (ITSAP.80.110)</a></li> <li><a href="/en/guidance/cyber-security-home-and-office-secure-your-devices-computers-and-networks-itsap00007">Cyber security at home and in the office: Secure your devices, computers, and networks (ITSAP.00.007)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> </ul></div> </div> </div> </div> </div> </article>

The joint guidance aims to inform software producers, purchasers and operators of the benefits of integrating SBOM generation, analysis, and sharing into security processes and practices.

This joint advisory warns that PRC state-sponsored threat actors are targeting global networks including: telecommunications, government, transportation, lodging and military infrastructure.

Whether you lead a small or medium business or are an employee, email configuration is a key component to ensuring that your organization is protected against various cyber threats

<article data-history-node-id="6580" about="/en/guidance/quick-guide-email-configuration" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.60.003</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <p>This publication introduces several email configuration concepts, focusing on the available email authentication methods to verify the authenticity of the message.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#spf">Sender Policy Framework</a></li> <li><a href="#dkim">DomainKeys Identified Mail</a></li> <li><a href="#tls">Transport Layer Security encryption</a></li> <li><a href="#dmarc">Domain-based Message Authentication Reporting and Conformance</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="spf">Sender Policy Framework</h2> <p>Sender Policy Framework (SPF) is a TXT record added to your domain’s zone file to be queried by the domain name system (DNS) server associated with your domain. The record states which <abbr title="Internet Protocol">IP</abbr> address(es) are allowed to send email from your domain or on your domain’s behalf. Emails from <abbr title="Internet Protocol">IP</abbr> addresses, <abbr title="Internet Protocol">IP</abbr> ranges, or third-party domains that are not included may be labelled as spam. <abbr title="domain name system">DNS</abbr> translates a human-readable address into a machine-readable address to direct the user to the correct location.</p> <h2 class="text-info" id="dkim">DomainKeys Identified Mail</h2> <p>DomainKeys Identified Mail (DKIM) is generally already configured by large and reputable host email services. Essentially, <abbr title="DomainKeys Identified Mail">DKIM</abbr> places a signature on outgoing emails, which can be verified by a public <abbr title="Domain Name System">DNS</abbr> record to ensure they haven’t been modified. The receiving email address compares the signature key upon receipt and if the <abbr title="DomainKeys Identified Mail">DKIM</abbr> signature is invalid, it will likely be labeled as spam.</p> <h2 class="text-info" id="tls">Transport Layer Security encryption</h2> <p>Transport Layer Security (TLS) encryption is a protocol that encrypts messages between servers so that they don’t get compromised in transit. <abbr title="Transport Layer Security">TLS</abbr> is a core email configuration used to ensure the privacy and integrity of an organization’s communications. However, while <abbr title="Transport Layer Security">TLS</abbr> can secure the initial transfer from the email client to the first server, it doesn’t guarantee that subsequent transfers will also use <abbr title="Transport Layer Security">TLS</abbr> encryption.</p> <h2 class="text-info" id="dmarc">Domain-based Message Authentication Reporting and Conformance</h2> <p>Domain-based Message Authentication Reporting and Conformance (DMARC) is generally already configured by your host email server as it’s an advanced and complex setting. <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> is the recommended protocol that chooses what to do with the information taken from <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys Identified Mail">DKIM</abbr>. There are three set policies (p=):</p> <ul><li>p=none, in which no action is taken and the message is delivered</li> <li>p=quarantine, in which the message is placed in a spam or junk folder for review</li> <li>p=reject, in which the message is rejected or bounced back to sender</li> </ul><p>There are also policies for subdomains which are labelled as “sp=” but are only applied if subdomains are explicitly defined.</p> <p>While <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> may appear complex to set up, it’s essential in today’s cyber security landscape. You can use a <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> parsing service that will help you translate and understand the <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>’s output response. Third-party <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> auditing protocol services can help by providing you with policy assurances and reporting mechanisms to monitor authentication and potential threats. When implementing <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>, you should review rules periodically to check if important mail is getting blocked.</p> <p>To maintain a reasonable level of protection, you should configure <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys Identified Mail">DKIM</abbr> and <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>. When choosing an email service provider, ensure that it supports these configurations, offers <abbr title="Transport Layer Security">TLS</abbr> encryption, and has strong anti-spam and threat mitigation features.</p> <div class="well well-sm mrgn-tp-lg"> <h2 class="mrgn-tp-sm" id="rci">Reporting a cyber incident</h2> <p>If your organization is a victim of fraud, contact your local police and file a report online through the <a href="https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm" rel="external">Canadian Anti-Fraud Centre’s online reporting system</a> or by phone at <a href="tel:1-888-495-8501">1-888-495-8501</a>. Report cyber incidents online via the Cyber Centre’s <a href="https://portal-portail.cyber.gc.ca/en/report/">My Cyber Portal</a>.</p> </div> <h2 class="text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection">Implementation guidance: email domain protection (ITSP.40.065 v1.1)</a></li> <li><a href="/en/guidance/cyber-security-best-practices-managing-email">Cyber security best practices for email (ITSAP.60.002)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protective-domain-name-system-itsap40019">Protective domain name system (ITSAP.40.019)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6685" about="/en/guidance/email-security-best-practices-itsm60002" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.60.002</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/ITSM.60.002-email-security-best-practices-en.pdf">Email security best practices – ITSM.60.002 (PDF, 1007 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on August 12, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: August 12, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1.1">1.1 Introduction</a></li> <li><a href="#1.2">1.2 Common email threats</a> <ul><li><a href="#1.2.1">1.2.1 Phishing</a></li> <li><a href="#1.2.2">1.2.2 Spoofing</a></li> <li><a href="#1.2.3">1.2.3 Malware</a></li> <li><a href="#1.2.4">1.2.4 Business email compromise</a></li> <li><a href="#1.2.5">1.2.5 Impersonation</a></li> <li><a href="#1.2.6">1.2.6 Data exfiltration</a></li> <li><a href="#1.2.7">1.2.7 Spam</a></li> </ul></li> <li><a href="#1.3">1.3 Email security protocols</a> <ul><li><a href="#1.3.1">1.3.1 Transport layer security</a></li> <li><a href="#1.3.2">1.3.2 Secure/multipurpose internet mail extensions</a></li> <li><a href="#1.3.3">1.3.3 Pretty good privacy and open pretty good privacy</a></li> <li><a href="1.3.4">1.3.4 Secure/multipurpose Internet mail extensions versus pretty good privacy</a></li> <li><a href="#1.3.5">1.3.5 Sender Policy Framework</a></li> <li><a href="#1.3.6">1.3.6 DomainKeys identified mail</a></li> <li><a href="#1.3.7">1.3.7 Domain-based message authentication, reporting, and conformance</a></li> </ul></li> <li><a href="#1.4">1.4 Protecting your email</a> <ul><li><a href="#1.4.1">1.4.1 Email security best practices</a></li> <li><a href="#1.4.2">1.4.2 Implement protocols to validate user identity and server identity</a></li> <li><a href="#1.4.3">1.4.3 Secure the email gateway</a></li> <li><a href="#1.4.4">1.4.4 Create an email security policy</a></li> <li><a href="#1.4.5">1.4.5 Monitor email activities</a></li> <li><a href="#1.4.6">1.4.6 Conduct regular email security audits and testing</a></li> <li><a href="#1.4.7">1.4.7 Keep business and personal emails separate</a></li> <li><a href="#1.4.8">1.4.8 Verify email links before you click on them</a></li> <li><a href="#1.4.9">1.4.9 Block spam and unwanted senders</a></li> </ul></li> <li><a href="#1.5">1.5 Email infrastructure security recommendations</a> <ul><li><a href="#1.5.1">1.5.1 Email servers</a></li> <li><a href="#1.5.2">1.5.2 Database/storage security</a></li> <li><a href="#1.5.3">1.5.3 Physical controls</a></li> <li><a href="#1.5.4">1.5.4 Cloud environment considerations</a></li> </ul></li> <li><a href="#1.6">1.6 Additional cyber security best practices to enhance email protection</a> <ul><li><a href="#1.6.1">1.6.1 Use unique and strong passwords or passphrases</a></li> <li><a href="#1.6.2">1.6.2 Educate and train employees</a></li> <li><a href="#1.6.3">1.6.3 Use multi-factor authentication</a></li> <li><a href="#1.6.4">1.6.4 Keep software and operating systems updated</a></li> <li><a href="#1.6.5">1.6.5 Connect to reliable Wi-Fi networks</a></li> <li><a href="#1.6.6">1.6.6 Create an incident response plan</a></li> <li><a href="#1.6.7">1.6.7 Back up important files</a></li> </ul></li> <li><a href="#1.7">1.7 Engaging with email security experts</a> <ul><li><a href="#1.7.1">1.7.1 Detonation and email sandboxing</a></li> <li><a href="#1.7.2">1.7.2 Content control</a></li> <li><a href="#1.7.3">1.7.3 Authentication systems</a></li> <li><a href="#1.7.4">1.7.4 Email encryption</a></li> <li><a href="#1.7.5">1.7.5 Email security gateways</a></li> <li><a href="#1.7.6">1.7.6 Continuous monitoring</a></li> <li><a href="#1.7.7">1.7.7 Reporting and analytics</a></li> </ul></li> <li><a href="#1.8">1.8 Summary</a></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>In today’s digital landscape, it is vital for your organization to protect sensitive data. Although email is a fundamental means of communication, it is susceptible to various threats. Email serves as a primary channel for exchanging information which means your organization must implement strong security measures to protect data. This publication provides guidance on the key email security practices and protocols your organization should adopt, with the goal of strengthening your defences and upholding the confidentiality, integrity, and availability of your communications and data. This publication will assist your organization in implementing protective measures such as encryption, authentication, and secure gateways. In addition to protective measures, you should also enhance your employees’ awareness of and compliance with cyber security requirements and best practices. Collectively, these measures will enhance your organization’s confidence to navigate the digital landscape, all while ensuring the security and privacy of your sensitive information.</p> </section><section><h2 class="text-info" id="1.1">1.1 Introduction</h2> <p>Email serves as an important communication tool for individuals and organizations and is widely used on various devices. In organizational information technology (IT) operations, email is particularly important for internal and external business communications. Its extensive use makes it a prime target for threat actors aiming to exploit vulnerabilities and compromise sensitive data. Notably, email was not initially designed with security and privacy in mind. The technologies used today that enhance email security, such as encryption and authentication protocols, were added later to help mitigate the risks associated with email communications.</p> <p>With threat actors constantly refining tactics to exploit email vulnerabilities, establishing a strong defence through comprehensive email security measures helps safeguard the confidentiality, privacy, and integrity of your digital communications. Email accounts house a large amount of private information, including personal data, financial details, and confidential business exchanges. Ensuring secure email communications is important to prevent breaches that could compromise the integrity of these exchanges. Email security also protects against malware and phishing attacks, which are frequently initiated via deceptive emails. Additionally, ensuring the availability of email systems is an important aspect of email security. This helps prevent disruptions, downtime, and potential data loss that could occur from attacks on vulnerable systems.</p> <p>For many organizations and businesses, adhering to industry regulations and compliance standards is essential to avoid legal repercussions and to safeguard reputation. By establishing strong email security measures, you can demonstrate compliance and assure customers/clients and partners that the confidentiality, integrity and availability of their sensitive information is handled correctly.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.2">1.2 Common email threats</h2> <p>While email is a widely used communication tool, it comes with risks. Email threats are diverse, evolve constantly, and can range from deceptive phishing schemes to harmful malware. In this section, we will explore some of the most prevalent threats that can compromise your organization’s private information and digital security.</p> <h3 id="1.2.1">1.2.1 Phishing</h3> <p>An email phishing attack is a deceptive tactic employed by threat actors who send seemingly legitimate emails to users. It stands out as the most common threat to email security. Although it used to be relatively easy to spot phishing attacks, they have become more sophisticated over time. Due to the advent of artificial intelligence (AI), email content no longer contains poor spelling or common tropes or lures but are now well-crafted messages containing seemingly legitimate content making harder for the reader to detect.</p> <p>Phishing attacks can be generic or targeted. In the case of targeted attacks, also known as spear phishing, threat actors conduct thorough research to craft well-designed emails aimed at specific individuals or groups with special privileges or access to valuable information.</p> <p>Whaling, a specific form of spear phishing, is directed at high-ranking individuals within an organization, with threat actors posing as trusted authorities. The main goal remains consistent: manipulating users into disclosing sensitive information, such as usernames, passwords, and bank account details. Threat actors may also try to get users to click on malicious links, open harmful attachments within the email, or instruct them to make unauthorized changes within a system they have access to. It is essential for you to stay vigilant and understand how phishing attacks evolve to protect your organization from such threats.</p> <p>For more information on phishing attacks and malicious email and how you can avoid, identify, and handle them, read our publications:</p> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages (ITSAP.00.100)</a></li> </ul><h3 id="1.2.2">1.2.2 Spoofing</h3> <p>Email spoofing is a deceptive tactic in which threat actors manipulate the sender’s details in an email header, making it look like the email is from a trusted source. The primary objective is to trick recipients into believing the email is legitimate and to entice them to open it and engage with its contents.</p> <p>The inherent danger is that spoofed emails usually contain malware or viruses, as well as malicious links that point to spoofed websites or services. Simply opening the email can expose the recipient’s device to potential threats, making it vulnerable to further exploitation. Spoofing is commonly employed in both phishing attacks and business email compromise (BEC) scams. The ramifications of falling victim to such attacks extend beyond immediate harm. If sensitive information is disclosed in response to a spoofed email, it can result in identity theft.</p> <p>To mitigate the risks associated with email spoofing, get in the habit of always hovering over links in an email before clicking to verify the actual URL, ensuring it matches the expected domain and appears legitimate. Avoid clicking on links that look suspicious or unfamiliar. Always consult with your organization’s <abbr title="information technology">IT</abbr> security department if you have concerns. You should also scrutinize any email that contains unusual requests, such as urgent financial transactions or demands for sensitive information. It is prudent to verify these requests through other communication channels, like a phone call to the sender or manually visiting the website in your browser to confirm the email’s claims.</p> <p>Another important consideration is the potential for homograph attacks, where malicious actors use characters from other alphabets, such as Cyrillic or Greek, that look like Roman letters to create deceptive email addresses or URLs. Pay close attention to subtle differences in characters that might indicate a spoofing attempt. By combining these strategies, you can better protect yourselves from the risks of email spoofing.</p> <h3 id="1.2.3">1.2.3 Malware</h3> <p>Threat actors often use email to deliver several types of malware, such as viruses, worms, ransomware, and spyware. Malware can be directly attached to emails or embedded in shared documents sent as attachments, links, or through cloud-based storage. Once malware infiltrates a user’s device, it can potentially gain unauthorized access to system components, compromise or steal sensitive information, and encrypt files. For information on how to defend against and recover from ransomware, read our publication <a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a>.</p> <h3 id="1.2.4">1.2.4 Business email compromise</h3> <p><abbr title="business email compromise">BEC</abbr> presents a growing concern for organizations of all sizes and across various industries. This sophisticated scheme often targets businesses engaged in wire transfers. Threat actors aim to defraud organizations by posing as executives or business partners to trick employees into transferring funds to fraudulent accounts.</p> <p>These intricately planned and precisely directed attacks involve significant amounts of money, which makes them one of the most financially damaging threats to email security. While <abbr title="business email compromise">BEC</abbr> scammers may exploit and steal data, their primary goal is financial gain, and they focus on deceiving organizations through social engineering tactics like impersonation. For more information on how to protect your organization against social engineering, read our publication <a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a>.</p> <h3 id="1.2.5">1.2.5 Impersonation</h3> <p>Impersonation is used by threat actors to exploit trust, benefit financially, or access sensitive information through email. For instance, in <abbr title="business email compromise">BEC</abbr>, threat actors pose as trusted individuals, like employees, to steal from companies or their clients and partners. Another example is an attorney impersonation attack, where the attackers pretend to be legal representatives and often target employees who may lack the knowledge or authority to verify the legitimacy of the attackers request. Similarly, threat actors have been known to impersonate authorities, including regulators, government departments, and law enforcement agencies.</p> <p>Another tactic is brand impersonation, where threat actors falsely associate themselves with well-known brands to trick recipients into revealing confidential information. There are many different impersonation techniques, ranging from mimicking internal personnel to committing financial fraud to leveraging the credibility of reputable brands for illicit purposes highlighting the need for vigilant email security practices.</p> <h3 id="1.2.6">1.2.6 Data exfiltration</h3> <p>Data exfiltration involves the unauthorized transfer or removal of sensitive information from an organization’s email system. Threat actors use various techniques, such as phishing, spyware, or malware, to exfiltrate data. This exposes organizations to potential cybercrimes, including extortion and the illicit sale of data on the dark web. In turn, this can have significant business consequences, including costly data breaches and legal repercussions. To learn more on how to protect your data from exfiltration, read our publication <a href="/en/guidance/defending-against-data-exfiltration-threats-itsm40110">Defending against data exfiltration threats (ITSM.40.110)</a>.</p> <h3 id="1.2.7">1.2.7 Spam</h3> <p>Businesses frequently employ spam (unsolicited messaging) as a means of promoting their goods, services, or websites for commercial purposes. Although spam may not be considered as severe as certain other email security threats, spam emails do carry inherent security risks. Email providers generally identify and filter out such messages, but spam is still a potential threat, as some emails that contain malicious links or attachments may be missed by the email provider filter.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.3">1.3 Email security protocols</h2> <p>Email security protocols are important for protecting digital communications, as they prevent unauthorized access to email content. These protocols establish rules and standards that govern the transmission, reception, and handling of email messages between servers and clients. By defining precise steps and rules for sending, receiving, storing, and retrieving emails, protocols help establish a secure email communication process.</p> <p>This section provides an overview of several established email security protocols that enhance email security. By integrating these email security protocols and practices, you can create a comprehensive and layered defence against many threats and ensure the confidentiality, integrity, and availability of your email communications. The Cyber Centre’s publication <a href="/en/guidance/implementation-guidance-email-domain-protection">Implementation guidance: email domain protection (ITSP.40.065 v1.1)</a> provides guidance on implementing technical security measures to protect your organization’s domains from email spoofing.</p> <h3 id="1.3.1">1.3.1 Transport layer security</h3> <p>Transport layer security (TLS), which replaces secure sockets layer (SSL), is a cryptographic protocol for establishing a secure communication channel via a ‘handshake’. During a <abbr title="transport layer security">TLS</abbr> handshake, the two communicating sides, typically a client and a server, exchange cryptographic keys and encrypt subsequent data transmissions. While <abbr title="secure sockets layer">SSL</abbr> protocols and older versions of <abbr title="transport layer security">TLS</abbr> are considered insecure, the latest <abbr title="transport layer security">TLS</abbr> protocol version ensures email remains confidential during transit. This means that as an email travels across the internet, it is encrypted and protected from eavesdropping. However, while the email may be encrypted during transmission, the sending and receiving servers can still access the plaintext message. Therefore, <abbr title="transport layer security">TLS</abbr> does not offer end-to-end confidentiality.</p> <p>Additionally, email transmitted over the internet typically undergoes multiple intermediary transfers across various servers before reaching its destination. While <abbr title="transport layer security">TLS</abbr> can secure the initial transfer from the email client to the first server, there is no guarantee that subsequent transfers will employ <abbr title="transport layer security">TLS</abbr> encryption. Consequently, you should not rely solely on <abbr title="transport layer security">TLS</abbr> to protect sensitive information unless you trust the receiving infrastructure and the organization operating the email servers. This is particularly important when considering the difference between securing communication between an email client application and a server and achieving end-to-end confidentiality between 2 individuals — the sender and the recipient of the email.</p> <p>For information on how to configure <abbr title="transport layer security">TLS</abbr>, read our publication <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>.</p> <h3 id="1.3.2">1.3.2 Secure/multipurpose internet mail extensions</h3> <p>Secure/multipurpose internet mail extensions (S/MIME) is a protocol designed to ensure the security of email communication through an end-to-end encryption framework. This protocol leverages public key infrastructure (PKI) with asymmetric cryptography, which involves a pair of mathematically related keys: a public key and a private key. These keys work collaboratively to establish a secure channel for communication.</p> <p><abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> serves a dual purpose of digitally signing and encrypting messages sent over the Internet. Digital signatures authenticate the identity of the sender, while encryption ensures the confidentiality of the email content. In the encryption process, the recipient’s public key is used, and successful decryption requires the corresponding private key held exclusively by the intended recipient. This ensures that the designated recipient can only access sensitive data, provided the private key remains secure. During authentication, a signature is generated using the sender’s private key and can be verified using the corresponding public key. This allows the recipient to check that the source of the message is authentic.</p> <p>One of the primary advantages of <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> is its resilience against malicious activities such as sender impersonation and message interception. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> establishes a secure framework for sending and receiving messages by requiring email clients to possess a digital certificate to authenticate the identity of the sender and encrypt emails during transmission.</p> <p>While <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> improves email security, it is important to know that email headers remain unencrypted. This means that threat actors could access certain information about the sender and recipient. The Cyber Centre’s publication <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> provides guidance on configuring both <abbr title="transport layer security">TLS</abbr> and <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>.</p> <h3 id="1.3.3">1.3.3 Pretty good privacy and open pretty good privacy</h3> <p>Pretty good privacy (PGP), including open-source pretty good privacy (OpenPGP), ensures end-to-end encryption for secure plaintext, emails, and files, restricting access to only the intended recipient. It uses digital signatures to verify sender authenticity and relies on public-key cryptography and key management for secure communication. The cost of implementing <abbr title="pretty good privacy">PGP</abbr> is relatively low and there are many free and open-source <abbr title="pretty good privacy">PGP</abbr> software solutions available.</p> <p>However, it should be noted that <abbr title="pretty good privacy">PGP</abbr> requires both the sender and receiver to have compatible software capable of encrypting and decrypting messages for the encryption to work effectively. Additionally, both parties need to exchange and possess each other’s public keys. Older emails that were not originally encrypted with <abbr title="pretty good privacy">PGP</abbr> software remain unencrypted unless they are re-sent using the secure encryption process.</p> <p>Popular email services such as Gmail, Outlook, and Yahoo do not natively support <abbr title="pretty good privacy">PGP</abbr> without additional browser add-ons or supplementary software. This limitation can complicate the seamless integration of <abbr title="pretty good privacy">PGP</abbr> into everyday email usage for many users.</p> <p>Overall, <abbr title="pretty good privacy">PGP</abbr> remains a versatile and cost-effective choice for individuals and small businesses seeking email encryption capabilities, provided they navigate its implementation and compatibility requirements effectively.</p> <h3 id="1.3.4">1.3.4 Secure/multipurpose internet mail extensions versus pretty good privacy</h3> <p><abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> are virtually identical mechanisms in terms of what is done to the email message for transport. The main difference is that <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> uses <abbr title="public key infrastructure">PKI</abbr>, with an emphasis on the "I" (infrastructure). <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> requires all users, senders, and recipients to possess certificates issued by a trusted authority or a delegate, which allows users’ identities to be traced back to the authority of the certificate issuer. Certificates in <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> are typically distributed and updated through automated lookup in a corporate directory and require supporting infrastructure.</p> <p>In contrast, <abbr title="pretty good privacy">PGP</abbr> employs self-generated public/private key pairs that must be manually managed and maintained, as well as trust relationships that usually need to be personally verified. For example, one might request another’s <abbr title="pretty good privacy">PGP</abbr> public key and reciprocate by providing their own. However, this exchange could be vulnerable to adversary-in-the-middle (AITM) attacks or spoofing, as it occurs before a trust relationship has been established and before both parties have exchanged keys to message each other.</p> <p>Data at rest is another key aspect of email security for both <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr>. <abbr title="transport layer security">TLS</abbr>-protected emails are encrypted only during transport. Once a message reaches its destination, it is decrypted and stored as plaintext on the recipient’s system. This means that if someone gains access to your phone, laptop, or server, they can read all the stored messages. However, if the messages were encrypted with <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> or <abbr title="pretty good privacy">PGP</abbr>, they remain encrypted even in storage unless the user opts to decrypt and store them in plaintext.</p> <p>It is recommended that enterprises and organizations use <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> because it enables them to centrally manage accounts. For example, if an employee leaves, you can simply revoke their <abbr title="public key infrastructure">PKI</abbr> credentials. In contrast, with <abbr title="pretty good privacy">PGP</abbr>, you would have to inform all your employees that the employee no longer works there and that they should no longer trust their <abbr title="pretty good privacy">PGP</abbr> credentials as there is no way for anyone other than the individual to revoke those keys. Additionally, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> allows for security investigations, if required. Organizations can maintain a record of communications exchanged via <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>, including timestamps and sender/receiver information, which can be important for forensic analysis in security investigations. Furthermore, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> allows administrators to enforce policies related to message retention and archiving, ensuring compliance with regulatory requirements, and facilitating audits or investigations into potential security breaches or misconduct. By leveraging <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> for email encryption and digital signatures, organizations and businesses can better monitor and investigate suspicious activities, thereby strengthening their overall security posture and regulatory compliance efforts.</p> <h3 id="1.3.5">1.3.5 Sender Policy Framework</h3> <p>Sender Policy Framework (SPF) is a system that uses features of domain name system (DNS) and allows domain owners to specify which servers are authorized to send emails on behalf of their domain. If you receive an email from an IP address that is not specifically permitted by the <abbr title="Sender Policy Framework">SPF</abbr> record, it is likely not legitimate. When an email is sent, the recipient’s mail server checks the <abbr title="Sender Policy Framework">SPF</abbr> record of the sender’s domain to see if the sending mail server is on the authorized list.</p> <p>If the sending mail server is included in the <abbr title="Sender Policy Framework">SPF</abbr> record (a "pass"), the email is considered legitimate and is usually delivered. However, if the sending mail server is not listed in the <abbr title="Sender Policy Framework">SPF</abbr> record (a "fail"), the recipient’s mail server may handle the email cautiously—possibly rejecting it or marking it as spam.</p> <p>To effectively manage <abbr title="Sender Policy Framework">SPF</abbr> policies within an organization, it is recommended to start with a softfail (~all) policy during initial testing. This allows administrators to monitor and correct any potential misconfigurations before fully enforcing a hardfail (-all) policy, which unequivocally rejects emails from unauthorized servers. Additionally, it is important to set non-mail-enabled domains and subdomains to hardfail (-all) for all emails, ensuring comprehensive protection against spoofing attempts across all aspects of the organization’s digital presence.</p> <h3 id="1.3.6">1.3.6 DomainKeys identified mail</h3> <p>DomainKeys identified mail (DKIM) is an email authentication protocol that enhances the security of email messages by allowing the sender to digitally sign them. In the <abbr title="DomainKeys identified mail">DKIM</abbr> process, the email server generates a digital signature using the private key, exclusive to the domain owner, and embeds it in the message header. The recipient’s server then verifies the signature using the sender’s public key retrieved from <abbr title="domain name system">DNS</abbr> records, thereby confirming the integrity of both the sender and the message content. Specifically, a hash computation is performed and compared to ensure the authenticity of the message and sender. Once this verification process confirms the sender’s identity and the message’s integrity, the email is then delivered to the recipient’s inbox.</p> <p><abbr title="DomainKeys identified mail">DKIM</abbr> ensures the integrity of email communication, making sure that emails have not been tampered with. It allows recipient servers to check the message’s authenticity and to confirm it originates from the claimed domain. This helps prevent spoofing and impersonation attempts.</p> <h3 id="1.3.7">1.3.7 Domain-based message authentication, reporting, and conformance</h3> <p>Domain-based message authentication, reporting, and conformance (DMARC) helps prevent email phishing and domain spoofing by allowing domain owners to define protocols for handling unauthorized or suspicious messages. It builds on <abbr title="DomainKeys identified mail">DKIM</abbr> and <abbr title="Sender Policy Framework">SPF</abbr> to ensure emails are authenticated before transmission, guaranteeing that they originated from the intended domain, and are sent to legitimate recipients.</p> <p>A key feature of <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> is that it lets domain owners establish policies for recipient servers. In turn, this allows messages to be handled effectively, even if they come from untrusted sources. This protocol guides the server on what actions to take when messages fail <abbr title="Sender Policy Framework">SPF</abbr> and/or <abbr title="DomainKeys identified mail">DKIM</abbr> checks, for example, reject, quarantine, or accept. Some large email providers, such as Gmail and Microsoft, have implemented strict <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> policies for inbound emails. They require that both <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr> authentication checks pass for emails sent from domains that have published <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> policies with a reject or quarantine action. Specifically, for Google, this applies if 5,000 or more messages are sent per domain. Yahoo, on the other hand, requires both <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr> to pass regardless of the volume of messages sent. This policy ensures that emails from domains that fail both authentication checks may be rejected or quarantined by these email providers.</p> <p>Unlike some other solutions that rely on a single point of failure, <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> uses a resilient strategy that covers both the source and target sides of email communication. It conducts a comprehensive security check on sender information, recipient details, subject lines, body text, and other message characteristics.</p> <p>Just like <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr>, <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> is optional and requires support from both the sending and receiving sides to effectively mitigate spoofing risks. These protocols do not provide additional cryptographic protection but ensure message integrity and the authenticity of the sender.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.4">1.4 Protecting your email</h2> <p>It is important for all organizations to secure email since this is essential for protecting sensitive data, including financial information and personally identifiable information. By adopting the recommended best practices listed in this publication and investing in email security tools (and, if needed, third-party email security services), you can strengthen your organization’s overall data privacy strategy, its security, and its resilience.</p> <h3 id="1.4.1">1.4.1 Email security best practices</h3> <p>It is important to implement robust strategies to safeguard your emails and prevent sensitive information from falling into the wrong hands. This section explores essential best practices aimed at enhancing your email security posture, thereby instilling confidence in your email communications.</p> <h4>1.4.1.1 Use email encryption and encrypted connections</h4> <p>Email encryption and encrypted connections play important roles in ensuring robust email security. Together, they safeguard sensitive information throughout the communication process. Email encryption ensures the confidentiality of email content, preventing unauthorized access even if it is intercepted during transmission. It is particularly important to encrypt email when you are transmitting sensitive or confidential information, such as financial details, legal documents, or personal data.</p> <p><abbr title="transport layer security">TLS</abbr> is used for server-to-client transport encryption and only provides security if you trust the email service provider. For instance, when using a public email service provider, such as Outlook or Gmail, <abbr title="transport layer security">TLS</abbr> will protect the email as it transits the internet, but the service provider can access all emails once they reach its servers. In contrast, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> offer end-to-end encryption, ensuring email content remains encrypted even on the server, providing an additional layer of security. These emails can only be read when a recipient downloads them onto their device and enters their decryption key or <abbr title="public key infrastructure">PKI</abbr> credential. It is essential to recognize that <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> provide the added benefit of securing emails from potential access by the email service provider. In contrast, <abbr title="transport layer security">TLS</abbr> encryption only protects emails during transit.</p> <p>Depending on the organization’s business structure, it may be more appropriate to use a web portal protected with <abbr title="transport layer security">TLS</abbr>/HTTPS to send and receive sensitive information. This approach can provide a more user-friendly method to securely transfer important documents, rather than relying on end-users to understand and consistently apply <abbr title="pretty good privacy">PGP</abbr> or <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> encryption. In such systems, the data stored at-rest should be encrypted, ensuring security throughout its lifecycle. This hybrid approach leverages <abbr title="transport layer security">TLS</abbr> encryption for secure transmission over the internet and back-end encryption for secure storage, balancing ease of use with strong security measures.</p> <h3 id="1.4.2">1.4.2 Implement protocols to validate user identity and server identity</h3> <p>Implement protocols such as <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> to validate user identity and ensure that the sender is indeed who they claim to be. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> offer multipurpose mechanisms for validating user identity, protecting against malicious infrastructure, and ensuring email content confidentiality. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> relies on trust in certificate authorities (CAs) for automatic certificate management, while <abbr title="pretty good privacy">PGP</abbr> relies on direct trust relationships. Both methods encrypt and sign email content, preventing tampering. Encrypted emails are decrypted only by the recipient’s private key, ensuring email integrity.</p> <p>You should also implement server identity validation (see sections 3.4, 3.5, and 3.6 for more information) in your email systems, using robust methods beyond relying solely on email addresses or IP addresses, as both are easily spoofed. <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> are essential protocols that enhance email security by verifying the authenticity of the sending server, ensuring the integrity of the email content, and providing policies for handling messages that fail authentication checks.</p> <h3 id="1.4.3">1.4.3 Secure the email gateway</h3> <p>Email security gateways serve as inspection points to scrutinize and filter out malware, spam, and phishing attempts. These gateways are essential email security tools and can be deployed in various forms, such as hardware appliances, virtual instances, or cloud-based services. They operate as protective barriers between an organization’s email server and the external email environment, actively inspecting incoming and outgoing emails. By effectively filtering threats like malware and ransomware, these gateways boost overall email security. The deployment flexibility of these gateways makes them adaptable to diverse organizational needs and environments.</p> <p>When deploying a secure email gateway, you should consider the reliability and trustworthiness of third-party vendors. You might leverage the expertise and infrastructure of external providers who specialize in email security. These vendors typically offer 2 deployment models for spam filtering and email security: hybrid and full-cloud approaches. You should evaluate which model best suits your operational needs and security requirements.</p> <h3 id="1.4.4">1.4.4 Create an email security policy</h3> <p>An email security policy serves as a comprehensive guide for managing email communications within your organization. It covers protocols for email usage, data storage, device access, and handling email security threats. These protocols are all aimed at protecting sensitive information and ensuring the integrity of communication channels. Operating as a strategic framework, the policy does not just regulate email practices; it actively promotes a culture of cyber security awareness within the organization. By securing sensitive data and strengthening communication channels, the policy plays a pivotal role in building a resilient defence against cyber threats.</p> <h3 id="1.4.5">1.4.5 Monitor email activities</h3> <p>Organizations should implement monitoring tools to track email activity and detect unusual patterns or suspicious behavior. Regular monitoring is essential in maintaining the security of email systems, as it helps identify potential signs of a security breach. By consistently observing the activities within an email environment, organizations can detect any unusual patterns or behaviours that may indicate a compromise.</p> <p>One effective approach to enhancing email monitoring is to use security information and event management (SIEM) systems. <abbr title="security information and event management">SIEM</abbr>s aggregate and analyze data from various sources, providing real-time insights and alerts for any suspicious activities. By leveraging <abbr title="security information and event management">SIEM</abbr>s, you can quickly identify and respond to potential threats, minimizing the risk of a successful attack.</p> <p>Another important aspect of email security monitoring is reviewing <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> reports. By regularly reviewing <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> reports, you can gain insights into how your email domain is being used and whether any malicious activities are occurring. These reports provide valuable information about the sources of emails claiming to be from your domain and can highlight any unauthorized senders attempting to spoof it.</p> <h3 id="1.4.6">1.4.6 Conduct regular email security audits and testing</h3> <p>Regular email security audits are essential for evaluating and addressing vulnerabilities in email security solutions and for maintaining resilience to cyber threats. This involves periodic reviews to identify weaknesses and implement necessary improvements and updates to enhance overall email security measures. This allows organizations to make prompt and proactive adjustments to maintain a secure email environment.</p> <h3 id="1.4.7">1.4.7 Keep business and personal emails separate</h3> <p>Keeping personal and professional email accounts separate helps protect sensitive business information. Using work email addresses for personal matters can expose an organization to security risks and potentially compromise confidential data. Similarly, using personal email addresses for work-related communications can pose security risks to your organization, as it may violate organizational policies and circumvent standard security measures.</p> <p>To mitigate these risks effectively, organizations should enforce clear policies. These policies should prohibit the use of business email accounts for personal matters and the use of personal email accounts for business activities. It is crucial to communicate these guidelines to all employees to ensure understanding and compliance.</p> <h3 id="1.4.8">1.4.8 Verify email links before you click on them</h3> <p>You should be very careful before you click on any email links or download any attachments, especially if they come from unfamiliar or suspicious sources. Take time to verify the legitimacy of links and assess the credibility of the sender by confirming that the domain name is correct or hovering over the link to see the actual address. This simple yet vital step can help you avoid falling prey to phishing scams or malware attacks and protect your personal and your organization’s information from potential security risks.</p> <h3 id="1.4.9">1.4.9 Block spam and unwanted senders</h3> <p>Blocking spam and unwanted senders is an email security practice that will help mitigate the risks associated with phishing attempts, malware distribution, and other malicious activities. You can enhance your defences by using advanced email filtering tools that analyze content and sender behavior. Update these filters regularly to ensure they are equipped with the latest threat intelligence so that they can block new spam techniques. Customize your security settings by using allow lists and deny lists, which allow trusted emails and automatically block messages from senders on deny lists. Additionally, educate your employees on identifying common spam characteristics. You should also review your blocked emails regularly to identify false positives and report suspicious emails for further investigation.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.5">1.5 Email infrastructure security recommendations</h2> <p>The following sections provide guidance on security recommendations for your email infrastructure.</p> <h3 id="1.5.1">1.5.1 Email servers</h3> <p>Ensure email servers are configured according to security best practices, including disabling unnecessary services, using strong encryption for communication channels, and regularly applying security patches. You should also implement robust access controls to restrict who can manage and access the email server. Use multi-factor authentication (MFA) for administrative access.</p> <h3 id="1.5.2">1.5.2 Database/storage security</h3> <p>Encrypt sensitive data at rest using strong encryption algorithms to protect it from unauthorized access. Apply strict access controls to the email database/storage, limiting access to authorized personnel only. Regularly review and update access permissions. Implement regular backups of email data and ensure backups are securely stored and encrypted. Test backup restoration procedures periodically.</p> <h3 id="1.5.3">1.5.3 Physical controls</h3> <p>Secure physical access to servers hosting email infrastructure. Use access control mechanisms such as biometric scanners, security badges, and surveillance systems. Maintain optimal environmental conditions (for example, temperature, humidity) to ensure server reliability and longevity and ensure those systems are also appropriately secured.</p> <h3 id="1.5.4">1.5.4 Cloud environment considerations</h3> <p>When considering a cloud environment for your email services, it is essential to prioritize security measures to protect sensitive information effectively. Start by verifying that your chosen cloud-based email service provider adheres to industry-standard security practices. Review their certifications, such as SOC 2 and ISO 27001, and thoroughly examine their data protection policies to ensure they meet your organization’s security standards.</p> <p>Ensure that all data transmitted to and stored in the cloud is encrypted both in transit and at rest. Understand how encryption keys are managed by the cloud provider and ensure they are adequately protected to prevent unauthorized access.</p> <p>Utilize the access management tools provided by the cloud service to enforce least-privilege access principles. Implement <abbr title="multi-factor authentication">MFA</abbr> for administrative accounts to add an extra layer of security.</p> <p>Regularly audit your cloud environment to ensure compliance with your organization’s security policies and regulatory requirements. Monitor for any changes or incidents that could potentially impact the security of your email data.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.6">1.6 Additional cyber security best practices to enhance email protection</h2> <p>While email security measures are vital, strengthening your organization’s cyber security requires a comprehensive approach that extends beyond email-specific strategies. In this section, we explore additional cyber security best practices that complement email protection efforts. By implementing these measures, you can improve your security posture and protect your digital assets from various threats.</p> <h3 id="1.6.1">1.6.1 Use unique and strong passwords or passphrases</h3> <p>Create unique and strong passwords and passphrases for your accounts. Do not repeat or reuse passwords and passphrases for multiple accounts and consider using a password manager to securely store your passwords and passphrases. You should aim to create complex and resilient passwords/passphrases, as attackers frequently exploit weak ones. For more information on best practices for passwords and passphrases, read <a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a> and <a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a>.</p> <p>For tips on using password managers, consult <a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a>.</p> <h3 id="1.6.2">1.6.2 Educate and train employees</h3> <p>Employee education and security awareness training are essential components of an effective enterprise email security strategy. It is important that employees at all levels understand the value of protecting sensitive data and the repercussions of emails attacks and breaches. Employees are the initial line of defence within organizations, which underscores the need for regular and comprehensive security training to mitigate the risk of human errors. The more knowledgeable your employees are about email security, the less likely they are to fall victim to threat actors’ tactics and to scams.</p> <p>Here are some keys aspects to consider incorporating into your training:</p> <ul><li>techniques to identify and avoid phishing, ransomware, and <abbr title="business email compromise">BEC</abbr> attacks</li> <li>strategies for avoiding security threats like malware, malicious links, and attachments</li> <li>ways to ensure the security of sensitive information</li> <li>data classification and handling procedures</li> <li>tips for protecting passwords</li> <li>guidelines on responding to email account compromises and promptly reporting suspicious emails or security incidents</li> <li>risks associated with phone-number compromise (subscriber identity module (SIM) swapping)</li> <li>reasons why the crossover use of work and personal emails should be prohibited</li> <li>suitable file types for email transmission and secure file-transfer methods</li> <li>techniques for detecting social engineering attempts and for knowing what not to share through email or other communication channels</li> <li>organization-specific email security policies and industry regulations</li> </ul><p>The goal is to empower employees by providing comprehensive information and to improve organizations’ overall email security posture.</p> <h3 id="1.6.3">1.6.3 Use multi-factor authentication</h3> <p>Use <abbr title="multi-factor authentication">MFA</abbr> whenever possible to secure your email account. <abbr title="multi-factor authentication">MFA</abbr> helps prevent unauthorized access to accounts, even if your password has been compromised. While strong passwords are beneficial, <abbr title="multi-factor authentication">MFA</abbr> adds an extra layer of access control since it requires you to provide more than just a password to login. <abbr title="multi-factor authentication">MFA</abbr> requires a user to provide 2 or more different authentication factors to verify their identity during a login process. These authentication factors can be a combination of something the user knows (for example, password or PIN), something the user has (for example, a smart card or a security key), or something the user is (biometric features such as fingerprint or face scan). This makes it harder for threat actors to gain unauthorized access to your accounts, especially email containing sensitive information.</p> <p>Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> refers to multi-factor authentication methods that are designed to be resilient against phishing attacks. These methods typically do not rely on shared secrets like passwords or codes that can be intercepted or stolen through phishing. Instead, they use cryptographic authentication that does not expose reusable credentials to service providers or attackers.</p> <p>One example of phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> technology is Fast Identity Online (FIDO) based solutions. <abbr title="Fast Identity Online">FIDO</abbr> uses cryptographic login credentials that are unique to each website and are never stored on a server.</p> <p>To learn more about <abbr title="multi-factor authentication">MFA</abbr>, read our publications <a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a> and <a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a>.</p> <h3 id="1.6.4">1.6.4 Keep software and operating systems updated</h3> <p>Regularly updating your email security software, anti-virus programs, and operating systems (OS) is important to bolster the security of your email system and protect against identified vulnerabilities. Threat actors often capitalize on weaknesses in outdated software to attain unauthorized access, steal data, or damage your computer. Since major operating systems usually have built-in anti-virus software, you should enable automatic updates for the operating system and any supplementary anti-virus tools to ensure you have the latest security patches. For more information on the importance of updates, read our publication <a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a>.</p> <h3 id="1.6.5">1.6.5 Connect to reliable Wi-Fi networks</h3> <p>Whenever possible, you should refrain from using public Wi-Fi for email communication. These networks are enticing targets for hackers, who may try to access or steal sensitive information when you are online. If you must connect to public Wi-Fi, exercise caution to prevent threat actors from intercepting your email data. Be selective about the Wi-Fi networks to which you connect. Prioritize public Wi-Fi connection options to those with secure encryption such as Wi-Fi protected access 3 (WPA3) or, even better, WPA3 with simultaneous authentication of equals-public key (SAE-PK) when possible. If you need to access sensitive email information, use a virtual private network (VPN) to establish a secure connection and protect data. However, you should be aware that not all VPN services offer the same level of trustworthiness. You should choose a VPN provided by a trusted organization rather than relying on publicly available VPN services. For more on Wi-Fi security, read our publications <a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a> and <a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a>.</p> <h3 id="1.6.6">1.6.6 Create an incident response plan</h3> <p>Organizations should develop and regularly update an incident response plan that includes responding to email security incidents. This plan should outline the specific actions to be taken in the event of an email security incident. This includes isolating affected systems to prevent further damage, identifying and mitigating vulnerabilities that may have been exploited, and notifying relevant stakeholders, such as <abbr title="information technology">IT</abbr> teams, management, and possibly even affected users. For information on how to create an incident response plan, read our publication <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a>.</p> <h3 id="1.6.7">1.6.7 Back up important files</h3> <p>Ensure the security and availability of your emails by routinely backing them up to protect against accidental deletion, hardware failures, or security breaches. Explore cloud-based backup solutions, local backup, or isolated solutions to identify what aligns best with your organization’s needs. Consider backing up critical files in multiple locations and in backup systems isolated from the primary network. This will prevent ransomware or other malware from easily spreading to the backup infrastructure. Conduct regular restoration exercises to verify the integrity and effectiveness of your backup systems. This practice helps identify any potential issues in the backup process and ensures a smooth recovery in the event of a cyber attack. For guidance on backing up your files, read our publication <a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.7">1.7 Engaging with email security experts</h2> <p>Organizations seeking advanced email protection or those that do not have the in-house expertise should consider engaging with a reputable email security expert or adopting a cloud-based solution. Third-party email security service providers can offer a multilayered defence solution with advanced threat intelligence, robust filtering, real-time monitoring, proactive threat detection, and rapid response capabilities. These services can include detailed reporting and analytics to support compliance efforts, identify vulnerabilities, and provide insights into email security trends. For some organizations, outsourcing can help optimize resource allocation, reduce the burden on internal teams, and ensure a comprehensive defence against cyber threats.</p> <p>To ensure that third-party email security services adequately protect your email and sensitive information, apply a supply-chain-integrity analysis. This involves conducting thorough assessments and due diligence on the provider’s security practices, infrastructure, and adherence to industry standards and regulations. Verify the provider’s track record, certifications, and any relevant security audits or assessments. This process ensures that third-party services will sufficiently safeguard your data, reducing risks associated with outsourcing. For more on supply chain integrity, read our publications <a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a> and <a href="/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a>.</p> <p>Below is a list of the various types of email security services to consider.</p> <h3 id="1.7.1">1.7.1 Detonation and email sandboxing</h3> <p>In the context of email security, detonation involves executing potentially harmful email attachments or links within a controlled environment to analyze their behavior and determine if they pose a threat. This process, also known as email sandboxing, occurs within a secure and isolated environment and allows security professionals to scrutinize suspicious files without risking harm to the organization’s network or systems. By observing the attachment’s actions in this controlled setting, security teams gather valuable intelligence to better understand and mitigate cyber security risks.</p> <h3 id="1.7.2">1.7.2 Content control</h3> <p>Content control in email security services involves the use of advanced technologies like <abbr title="artificial intelligence">AI</abbr> and machine learning (ML) to analyze email content for unsafe patterns. These services can identify and block various types of potentially harmful content. Specifically, image and content control capabilities focus on scanning attached or embedded images and content within emails. By leveraging <abbr title="artificial intelligence">AI</abbr> and ML, these services can detect malware in images and content and prevent their download or execution.</p> <p>Spam and phishing filters are designed to automatically identify and block potentially malicious emails. Third-party services enhance spam and phishing detection by employing advanced algorithms and threat intelligence to analyze email content and sender behavior so that phishing attempts can be identified and blocked before they reach users’ inboxes. These filters also block emails with attachments attempting to access system registries or sensitive folders, as well as those trying to communicate with external IP addresses or download files from external sources. Overall, these measures contribute to a strong defence against spam, phishing, and potential security threats in email communications.</p> <p>In addition to <abbr title="artificial intelligence">AI</abbr>, <abbr title="machine learning">ML</abbr>, and spam and phishing filters, you can leverage the following traditional methods for effective email content filtering and to block or quarantine suspicious attachments or file types:</p> <ul><li>Use email server features to block or quarantine suspicious attachments or file types</li> <li>Implement allow lists to permit only safe file types, thereby enhancing security</li> <li>Automatically convert MS Office documents or other types of documents containing macros to safer formats like PDF to mitigate the risks associated with malicious macros</li> <li>Remove or disable active content to prevent exploitation</li> <li>Deploy anti-virus and anti-malware software to scan email attachments for threats, including archive files like Zip, Rar, and 7zip, which may be quarantined or removed if encrypted</li> <li>Disable macros in MS Office documents if they are allowed, as macros are a common attack vector</li> </ul><h3 id="1.7.3">1.7.3 Authentication systems</h3> <p>Authentication systems are essential for defending against spoofed emails, ensuring the legitimacy of senders, and mitigating various cyber threats.</p> <p>Anti-spoofing tools use email authentication protocols to prevent impersonation attacks and flag or reject suspicious messages. Third-party services support organizations in implementing and managing authentication protocols such as <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr>. The primary aim is to prevent domain spoofing, flag or reject suspicious messages, and guarantee the authenticity of email communication, thereby reducing the risk of cyber threats.</p> <h3 id="1.7.4">1.7.4 Email encryption</h3> <p>Email encryption is a security measure that uses encryption techniques to effectively mitigate the risk of email interception. Encrypted emails, which can only be read by authorized senders and recipients, play a pivotal role in preventing unauthorized access to and interception of sensitive information.</p> <p>Email security service providers offer strong email encryption solutions to enhance the security of your sensitive information during transmission. These solutions encompass a range of encryption protocols and advanced push-and-pull encryption methods. With push encryption, emails are converted into encrypted files attached to another email, ensuring secure transit and restricting access to authorized recipients. Pull encryption enables secure email retrieval from a designated portal, ensuring access solely for individuals with the appropriate credentials. These measures collectively safeguard your emails from unauthorized access and ensure the confidentiality of your communications.</p> <h3 id="1.7.5">1.7.5 Email security gateways</h3> <p>Email security gateways are another service offered by email security experts. By deploying these gateways, email security experts ensure that all incoming and outgoing emails are thoroughly inspected, blocking malicious content, and safeguarding your communication channels.</p> <h3 id="1.7.6">1.7.6 Continuous monitoring</h3> <p>There are email security services that continuously monitor and gather threat intelligence to help defend against emerging threats and vulnerabilities. These services actively monitor the email landscape, watch for new attack vectors, and adapt quickly to evolving risks. By using threat intelligence, they are better able to deliver timely and effective protection against emerging cyber threats.</p> <h3 id="1.7.7">1.7.7 Reporting and analytics</h3> <p>Email security tools that provide reporting and analytics include features for monitoring email traffic and tracking security incidents. Through these capabilities, organizations acquire valuable insights into potential security threats, which allow them to proactively address vulnerabilities. The tools produce detailed reports that provide a comprehensive view of the email security landscape and help organizations identify patterns, trends, and areas that may need additional attention.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.8">1.8 Summary</h2> <p>It is important for your organization to safeguard emails containing sensitive data, including financial records, proprietary information, and customer and employee details. One key way of doing this is to implement comprehensive email security best practices, including elements such as encryption, authentication, secure gateways, monitoring, and regular audits. Adopting these practices not only ensures a robust defence against potential breaches, but also protects the confidentiality of sensitive information during email transmission.</p> <p>Email security protocols, including <abbr title="transport layer security">TLS</abbr>, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>, <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr>, play pivotal roles in strengthening email communication security. These protocols address diverse aspects of cyber security, such as encryption, authentication, and protection against phishing and spoofing attempts.</p> <p>Adhering to these security protocols and the best practices covered in this document will help your organization establish a trustworthy communication environment, especially in transactions involving sensitive data. Collectively, they can help strengthen your organization’s overall data privacy strategy, improve its security posture, and increase resilience. By prioritizing email security, organizations not only instill confidence in stakeholders but also foster a culture of cyber security awareness and maintain a proactive stance against emerging cyber threats.</p> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6723" about="/en/news-events/joint-guidance-managing-cryptographic-keys-secrets" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the following international partners in releasing cyber security guidance on managing cryptographic keys and secrets:</p> <ul><li>Australia’s Department of Industry Science and Resources (DISR)</li> <li>Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC)</li> <li>Japan’s National Cybersecurity Office (NCO)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> </ul><p>Cryptographic keys and secrets are a critical asset of many organizations and an important aspect of cyber security. They require careful management and protection throughout their lifecycle. When an organization’s keys or secrets have been compromised, it can have significant negative impact on its operations, finances and reputation.</p> <p>This joint guidance is intended for security personnel and considers threats to the following types of cryptographic keys and secrets:</p> <ul><li>Asymmetric keys</li> <li>Digital certificates</li> <li>Symmetric keys</li> <li>Secrets</li> </ul><p>This joint guidance aims to help personnel understand the threat environment and the value of implementing secure keys and managing secrets.</p> <p>Read the full joint guidance: <a href="https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/secure-by-design/managing-cryptographic-keys-and-secrets">Managing Cryptographic Keys and Secrets</a></p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="659" about="/en/guidance/steps-address-data-spillage-cloud-itsap50112" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.112</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> </div> <!–pdf download–> <p>In our interconnected digital world, the security of data stored in the cloud is more critical than ever. Data spillage, or the unintended exposure of sensitive information, can have far-reaching consequences for individuals and organizations.</p> <p>Data spillage occurs when sensitive information is placed on information systems that are not authorized to process or store the information. It can also happen when data is made available to an unauthorized individual. For example, a spill occurs if secret data is transferred or made available on an unclassified network.</p> <p>This publication outlines the essential steps your organization should follow to effectively manage and mitigate data spillage incidents in cloud environments. These steps will help you ensure that sensitive data remains secure and private.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#identify">Step 1: Identify the data spill</a></li> <li><a href="#contain">Step 2: Contain the data spill</a></li> <li><a href="#alert">Step 3: Alert your stakeholders of the data spill</a></li> <li><a href="#Remediate">Step 4: Remediate the data spill</a></li> <li><a href="#Considerations">Considerations to enhance your cyber security posture in the cloud</a></li> <li><a href="#Disposal">Appropriate disposal of IT equipment</a></li> </ul><section><h2 class="text-info" id="identify">Step 1: Identify the data spill</h2> <p>Swiftly identifying a data spillage incident is crucial for limiting the potential damage. Recognizing unauthorized data exposure is vital to identifying data spillage. This can occur in various ways, such as misplaced emails, unsecured cloud storage or misplaced physical devices. Early detection is key and is dependent on robust monitoring systems and awareness of data flows within an organization. This allows you to quickly assess the nature, scope, and potential impact of the data spill.</p> <p>Take the following actions to effectively triage and assess the damage caused by a data spill:</p> <ul><li>What information was compromised? <ul><li>Understanding the type of data—whether personal, financial, or confidential—helps determine the severity of the spill</li> </ul></li> <li>Where was the information moved? <ul><li>Identifying the unintended location(s) of the data can guide the containment strategy</li> </ul></li> <li>How was the information moved? <ul><li>Understanding the method of transfer, such as USB or email, can provide insights into the nature and potential spread of the spill</li> </ul></li> <li>Who was the information sent to? <ul><li>Knowing who received the spilled data is essential for containment and remediation efforts</li> </ul></li> <li>Where did the information come from? <ul><li>Tracing the origin of the spilled data helps identify potential vulnerabilities within the system</li> </ul></li> <li>When did the spill occur? <ul><li>Determining the timing of the spill can affect the response strategy and potential impact assessment</li> </ul></li> </ul><p>Early identification depends on a comprehensive understanding of these aspects and allows your organization to respond effectively and mitigate the impacts of data spillage.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="contain">Step 2: Contain the data spill</h2> <p>The immediate containment of a data spill is critical to preventing further unauthorized access or distribution. This step requires your organization to secure the spilled data by removing it from unsecured locations or restricting access to it. In cloud environments, containment may also involve working with cloud service providers (CSPs) to leverage their tools and capabilities for securing data. A rapid response is essential to seal off vulnerabilities and limit data proliferation.</p> <p>To effectively contain a data spill, consider the following:</p> <h3>Utilize platform functions</h3> <p>Employ available cloud platform functions to delete the affected files and any known copies from your system. If the spill involves email, recall the message if possible.</p> <h3>Direct recipients</h3> <p>For all forms of data, including email, contact the recipients directly and instruct them not to forward or access the data. Ask all recipients to delete the spilled information from their environments and to empty their recycle bins.</p> <h3>Challenges containing data in the cloud</h3> <p>Recognize the unique challenges of containing data spillages in cloud environments, including:</p> <ul><li>verifying the complete removal of spilled data post-cleanup</li> <li>determining whether data has been compromised once the spilled data has been exposed</li> </ul><p>These steps underscore the complexity of managing data spillage in cloud services and the importance of swift, strategic actions to mitigate risks effectively.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="alert">Step 3: Alert your stakeholders of the data spill</h2> <p>After the data spillage is identified and contained, it’s crucial to promptly alert the appropriate internal and external stakeholders. Effective communication ensures a coordinated response to the incident and helps mitigate potential damage.</p> <p>To ensure a comprehensive alert protocol, consider the following actions:</p> <h3>Internal reporting</h3> <p>Immediately contact your IT service desk to report the spillage. If the IT service desk is designated as the remediation authority, they will triage the incident following your organization’s security incident management process. If not, it will escalate the incident to the appropriate remediation authority.</p> <h3>Report to management</h3> <p>Inform your management chain of the incident, regardless of the type of breach. They will provide support, direction for the remediation effort and to respond to any inquiries as required.</p> <h3>Secure communication with cloud service providers</h3> <p>When involving <abbr title="cloud service providers">CSP</abbr>s, use secure communication methods. Ensure that cleared <abbr title="cloud service providers">CSP</abbr> personnel have located and deleted all possible copies of the data (if this is included in your service agreement). If secure communication methods and cleared personnel are not readily available, assess the benefits versus the risks of contacting the <abbr title="cloud service providers">CSP</abbr> with your manager.</p> <h3>External notifications</h3> <p>Depending on the nature of the data and the spillage, external notifications may be required. This includes notifying affected individuals, regulatory bodies or other stakeholders as dictated by law, regulation or policy.</p> <h4>Additional information for government departments and critical infrastructure sectors</h4> <p>For Government of Canada departments and critical infrastructure sectors, external notifications involve reporting breaches directly to the Canadian Centre for Cyber Security (Cyber Centre) by phone at 1-833-CYBER-88 (<a href="tel:+1-833-292-3788">1-833-292-3788</a>) or online at <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="6e494caa-d595-4273-ad70-ba2d1543af6e" href="/en/incident-management">Report a cyber incident</a>.</p> <!– –> <h4>Government of Canada departments</h4> <p>In addition to reporting the incident to the Cyber Centre, follow your department’s incident response procedures and the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html">Government of Canada Cyber Security Event Management Plan (GC CSEMP)</a>.</p> <h4>Critical infrastructure sectors</h4> <p>In addition to reporting the incident to the Cyber Centre, consult Public Safety’s action-oriented guidance in <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2016-fndmntls-cybr-scrty-cmmnty/index-en.aspx">Fundamentals of Cyber Security for Canada’s CI community</a> for more information.</p> <h4>Privacy</h4> <p>If a data spill impacts or potentially impacts the privacy of Canadians, <a href="https://www.priv.gc.ca/en/report-a-concern/">report the spill to the Office of the Privacy Commissioner</a>.</p> <span class="clearfix"> </span> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="Remediate">Step 4: Remediate the data spill</h2> <p>After containing the spill and notifying the relevant parties, your focus should shift to remediation. This involves not only addressing the immediate impacts of the spill but also implementing measures to prevent future incidents. Effective remediation depends on a thorough investigation to understand the root causes of the spillage.</p> <p>For a comprehensive remediation process, consider the following actions:</p> <h3>Work with your cloud service provider</h3> <p>Engage with your <abbr title="cloud service providers">CSP</abbr> to ensure the spill is fully contained and to leverage their expertise in cleaning up the spill. This includes utilizing platform functions for data clean-up, such as removing tags and pointers or employing crypto-shredding.</p> <h3>Manage device and cloud space</h3> <p>Recall, destroy, and replace any affected mobile devices, servers or portions of the cloud tenant space that contained the spilled data. Crypto-shredding can be an effective method for ensuring the data is irrecoverable.</p> <h3>Review policies and procedures</h3> <p>Analyze the incident to identify any weaknesses in current policies and procedures. Update these to incorporate lessons learned from the spillage, focusing on improving data management, transfer, and storage practices.</p> <h3>Engage stakeholders</h3> <p>Ensure all stakeholders, including <abbr title="cloud service providers">CSP</abbr>s and any external organizations involved, are informed of the remediation actions and progress. Coordination with these parties is essential for a holistic approach to remediation.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="Considerations">Considerations to enhance your cyber security posture in the cloud</h2> <p>To enhance your overall cyber security posture in the cloud, your organization should consider the following:</p> <h3>Responsibility and collaboration</h3> <p>Understand that the legal responsibility for data security remains with the data owner, even in cloud environments. Effective collaboration with <abbr title="cloud service providers">CSP</abbr>s and clear internal policies are crucial for protecting data.</p> <h3>Awareness and training</h3> <p>Educating personnel on the risks of data spillage and proper data-handling techniques is essential for preventing data spills. Regular training can significantly reduce the likelihood of future incidents. To view the full list of Cyber Centre courses, please visit <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8835c939-543a-4cde-806c-370702ed4826" href="/en/education-community/learning-hub">The Learning Hub</a>.</p> <h3>Continuous improvement</h3> <p>Adopting a posture of continuous improvement, learning from past incidents, and updating policies accordingly are vital steps in enhancing an organization’s data security measures.</p> </section><section><h2 class="text-info" id="Disposal">Appropriate disposal of IT equipment</h2> <p>Proper disposal reduces the risk of threat actors exploiting residual data that is left on IT equipment with electronic memory or data storage media. This advice is applicable when considering data spillages using cloud services. Consult <a href="/en/guidance/it-media-sanitization-itsp40006">IT media sanitization (ITSP.40.006)</a> for additional advice on properly disposing of IT media.</p> </section></div> </div> </div> </div> </div> </article>

This joint guidance outlines the process for OT owners and operators to create an asset inventory and OT taxonomy.

<article data-history-node-id="715" about="/en/guidance/introduction-cloud-computing-itsap50110" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.110</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <p>Cloud computing is the on-demand delivery of IT resources over the Internet. Think of it as a network of companies that sell computing power, which customers can access online.</p> <p>With cloud computing, users can access technology services, such as computing power and storage, as needed from a cloud service provider (CSP). This reduces the need for organizations to own and maintain physical servers and data centres.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#bcc">Benefits of cloud computing</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="bcc">Benefits of cloud computing</h2> <p>Cloud computing allows for convenient, on demand access to a shared pool of configurable computing resources. Cloud computing offers many benefits to organizations.</p> <h3>Performance</h3> <p><abbr title="cloud service providers">CSPs</abbr> offer scalable resources that adjust to match your business growth and handle peak demand efficiently. They provide optimal computing power to your organization and ensure you have the latest high-performance hardware by regularly updating their systems.</p> <h3>Accessibility and productivity</h3> <p>Leveraging cloud computing can enable users to securely access data and applications anywhere, anytime. Users can access their files, email or applications from anywhere. Documents can be shared among users while remaining in a central location. This improves collaboration across teams in various locations and boosts productivity, leading to more agile and responsive business operations.</p> <h3>Reliability</h3> <p>Cloud computing makes data back-ups, disaster recovery and business continuity easier and less expensive because data can be mirrored at multiple sites on the <abbr title="cloud service provider">CSP</abbr>’s network.</p> <h3>Cost efficiency</h3> <p>Organizations can avoid capital expenses associated with purchasing equipment and software, as well as the operational costs of running an on-premises environment. Cloud computing shifts the financial burden from large, up-front investments to a more manageable, pay-as-you-go model. It aligns the costs with actual usage and business demands.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="mrgn-tp-md text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/models-cloud-computing-itsap50111">Models of cloud computing (ITSAP.50.111)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/cloud-adoption-strategy-2023-update.html">Treasury Board of Canada Secretariat’s Government of Canada Cloud Computing</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="716" about="/en/guidance/models-cloud-computing-itsap50111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"> <p>Cloud service providers (CSPs) offer 3 service models and 4 deployment models. Service models provide customers with options to access a <abbr title="Cloud service providers">CSP</abbr>’s services, while deployment models offer customers different ways of using them. This publication provides an overview of the different models of cloud computing, allowing you to choose the best option for your organization.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#service-model">Service models</a></li> <li><a href="#deployment-model">Deployment models</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="mrgn-tp-lg text-info" id="service-model">Service models</h2> <p>Cloud computing has changed how organizations and individuals use technology. The service models offered to customers define the specific types of services provided by <abbr title="Cloud service providers">CSP</abbr>s.</p> <h3>Software as a Service</h3> <p>Software as a Service (SaaS) is a software distribution model in which customers purchase a service to use applications hosted by a <abbr title="Cloud service providers">CSP</abbr>. The service is made available for use over the Internet. Some well-known examples of <abbr title="Software as a Service">SaaS</abbr> include Google Workspace and Microsoft 365.</p> <p><abbr title="Software as a Service">SaaS</abbr> is a popular service model as it:</p> <ul><li>allows access to software from any device with an Internet connection</li> <li>includes <abbr title="Cloud service providers">CSP</abbr> upkeep of the software</li> </ul><h3>Platform as a Service</h3> <p>Platform as a Service (PaaS) provides developers with a cloud platform to build, deploy and manage applications without the complexity of maintaining the underlying infrastructure. This service model enables efficient application development through managed hosting environments. With <abbr title="Platform as a Service">PaaS</abbr>, developers can focus on their application’s functionality rather than its operation.</p> <p>Popular <abbr title="Platform as a Service">PaaS</abbr> examples include Microsoft Azure App Service and Salesforce’s Force.com. These platforms streamline the development and deployment processes, enabling faster and more secure application delivery.</p> <p><abbr title="Platform as a Service">PaaS</abbr> providers perform the following security actions to better secure applications against emerging threats:</p> <ul><li>Security updates</li> <li>Compliance monitoring</li> <li>Threat detection</li> </ul><h3>Infrastructure as a Service</h3> <p>Infrastructure as a Service (IaaS) provides scalable computing resources like servers, storage and networking over the Internet. This service model enables users to develop, run and manage applications on the <abbr title="Cloud service providers">CSP</abbr>’s hardware. Examples of IaaS include Amazon Web Services (AWS) offerings like EC2 and S3.</p> <h2 class="mrgn-tp-md text-info" id="deployment-model">Deployment models</h2> <p>Deployment models describe the access, size, and ownership of the cloud infrastructure.</p> <h3>Public cloud</h3> <p>The public cloud model offers services over the Internet, making the <abbr title="Cloud service providers">CSP</abbr>’s infrastructure and resources accessible to anyone. It’s managed externally and is separated from the customer’s in-house <abbr title="Information Technology">IT</abbr> infrastructure.</p> <h3>Private cloud</h3> <p>The private cloud model provides a dedicated environment for a single entity, ensuring exclusive access and control over the infrastructure. It offers enhanced security and privacy, as it can be hosted and managed either onsite by the customer or offsite by the <abbr title="Cloud service providers">CSP</abbr>. The private cloud is tailored to meet the needs of the customer, allowing greater control over computational resources and customized security measures. This model is ideal for organizations that require strict security and data privacy or that have specific regulatory compliance needs.</p> <h3>Community cloud</h3> <p>The community cloud model is a dedicated environment shared among multiple organizations with similar privacy, security and regulatory needs. It allows organizations to utilize a common infrastructure.</p> <h3>Hybrid cloud</h3> <p>The hybrid cloud combines different cloud types (public, private or community), while maintaining their distinct characteristics. These cloud types are interconnected for seamless data and application mobility. Each member cloud remains a unique entity but is bound to the others through standardized or proprietary technology. This allows applications and data to be transferred easily among members.</p> <h2 class="mrgn-tp-md text-info" id="learn-more">Learn more</h2> <p>For more information on the different service and deployment models, see the <a href="https://csrc.nist.gov/pubs/sp/800/145/final">National Institute of Standards and Technology (NIST) Special Publication 800-145 The NIST Definition of Cloud Computing</a>.</p> <p>To learn more about cloud computing, read the following publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/what-cloud-computing-itsap50110">Introduction to cloud computing (ITSAP.50.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cloud-network-security-zones-itsp80023">Cloud network security zoning (ITSP.80.023)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

Scattered Spider is a cyber criminal group that targets large organizations and their contracted information technology help desks.

<article data-history-node-id="680" about="/en/guidance/security-considerations-critical-infrastructure-itsap10100" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.100</strong></p> </div> </div> <!–DESKTOP END–><!–MOBILE –> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2025 | Awareness series</strong></p> </div> <!–MOBILE END –> <p>Critical infrastructure (CI) plays a role in the delivery and support of the necessities of daily life. This includes commonly used utilities and services, such as water, energy and banking. Disruptions to <abbr title="critical infrastructure">CI</abbr> could lead to failure of essential services, endanger public safety or result in loss of life. This publication provides information on how <abbr title="critical infrastructure">CI</abbr> sectors can be compromised and what security measures can be implemented to mitigate the risks.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#sectors">Critical infrastructure sectors</a></li> <li><a href="#impact">How cyber attacks impact critical infrastructure</a></li> <li><a href="#threats">The main threats to critical infrastructure</a></li> <li><a href="#protect">How to protect your sector from cyber attacks</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="sectors">Critical infrastructure sectors</h2> <p><abbr title="critical infrastructure">CI</abbr> refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. <abbr title="critical infrastructure">CI</abbr> is often interconnected and interdependent within and across provinces, territories and national borders.</p> <p>The <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National strategy for critical infrastructure</a> identifies the following 10 <abbr title="critical infrastructure">CI</abbr> sectors:</p> <ul><li>energy and utilities</li> <li>finance</li> <li>food</li> <li>government</li> <li>health</li> <li>information and communication technology</li> <li>manufacturing</li> <li>safety</li> <li>transportation</li> <li>water</li> </ul><h3>Operational technology and industrial control systems as potential threat targets</h3> <p>Operational technology (OT) refers to computing systems used to automate industrial processes and operations in many different sectors. Industrial control systems (ICS) are a major subset within <abbr title="operational technology">OT</abbr> that allows <abbr title="critical infrastructure">CI</abbr> providers to remotely monitor the processes and control the physical devices in their infrastructure.</p> <p><abbr title="operational technology">OT</abbr> systems that have to be connected to the Internet or other networks and systems are attractive targets to threat actors who are focused on <abbr title="operational technology">OT</abbr> disruption.</p> <h2 class="text-info" id="impact">How cyber attacks impact critical infrastructure</h2> <p>Cyber attacks on a <abbr title="critical infrastructure">CI</abbr> can have serious and devastating consequences. Some of the impacts can include:</p> <ul><li>interruption of essential services, such as electricity, water and natural gas</li> <li>disruption in the production and supply of food and medical supplies</li> <li>loss of public trust and confidence in the economy, national security and defence, and the democratic processes</li> <li>damage to environment and risk to public health from chemical spills, toxic waste discharges or hazardous air emissions</li> <li>lost revenue, reputational risks, job losses or legal consequences for companies and employees</li> <li>disruption to hospital operations, or even compromised medical devices, that could lead to loss of life</li> <li>damage to <abbr title="critical infrastructure">CI</abbr> components that could disrupt, destroy or degrade processes and operations</li> </ul><h2 class="text-info" id="threats">The main threats to critical infrastructure</h2> <p>Cyber threats to <abbr title="critical infrastructure">CI</abbr> sectors can involve stealing mission-critical information, locking sensitive files or leaking proprietary or sensitive information. Damage to <abbr title="critical infrastructure">CI</abbr> can threaten national security, public safety and economic stability.</p> <p>Threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors for financial gain. Some <abbr title="critical infrastructure">CI</abbr> sectors, such as healthcare and manufacturing, are popular targets because their owners and operators cannot withstand loss of sensitive information and long-term disruption of essential services. These <abbr title="critical infrastructure">CI</abbr> sectors often have significant financial resources to pay ransom.</p> <p>Insider threat actors may target <abbr title="critical infrastructure">CI</abbr> for personal reasons, such as an act of revenge by disgruntled former employees or customers.</p> <p>State-sponsored cyber threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors to collect information in support of broader strategic goals like influencing public opinion or policy development.</p> <p>The following are some examples of the threats to <abbr title="critical infrastructure">CI</abbr>.</p> <h3>Ransomware</h3> <p>Ransomware is a type of malware that denies users access to systems or data until a sum of money is paid. Other types of malware (for example, wipers and spyware) are used to target <abbr title="critical infrastructure">CI</abbr> by infiltrating or damaging connected systems.</p> <h3>Denial-of-Service attack</h3> <p>A denial-of-service (DoS) attack is any activity that makes a service unavailable for use by legitimate users or that delays system operations and functions. A threat actor could make large parts of a <abbr title="critical infrastructure">CI</abbr> sector unavailable and cause potentially catastrophic failure.</p> <h3>Insider threats</h3> <p>An insider threat is when anyone who has or had knowledge of or access to an organization’s infrastructure and information and uses it, either knowingly or inadvertently, to cause harm. Insider threats can have a significant impact on a <abbr title="critical infrastructure">CI</abbr> sector and its business functions.</p> <p>These threats can cause a temporary or permanent loss of visibility and control within the <abbr title="critical infrastructure">CI</abbr> processes and <abbr title="operational technology">OT</abbr>. Loss of control can prevent operators from being able to issue commands to mitigate malicious interference. This can result in uncontrolled damage and shutdown of system components, requiring hands-on operator intervention on the <abbr title="operational technology">OT</abbr>.</p> <h2 class="text-info" id="protect">How to protect your sector from cyber attacks</h2> <p><abbr title="critical infrastructure">CI</abbr> network operators can reduce their risks of cyber attacks by implementing the following security measures.</p> <h3>Isolate <abbr title="critical infrastructure">CI</abbr> components and services</h3> <p>Implement firewalls, virtual private networks (VPNs) and multi-factor authentication (MFA) for remote access connections with corporate networks. When using <abbr title="operational technology">OT</abbr>, test manual controls to ensure critical functions will remain operable if your network is unavailable or untrusted. Use secure administrative workstations to separate sensitive tasks and accounts from non‑administrative computer uses, such as email and web browsing. Implement network security zones to control and restrict access and data communication flows to certain components and users. <abbr title="operational technology">OT</abbr> systems should be on an isolated network and not connected to the Internet.</p> <h3>Enhance your security posture</h3> <p>Implement offline backups that are tested frequently to ensure you can recover quickly in the event of an incident.</p> <h3>Adopt a risk-based approach with updates</h3> <p>Evaluate your system requirements with vulnerability management to determine necessary updates. Many updates might be unnecessary to implement and could pose potential risks to your <abbr title="operational technology">OT</abbr> environment. Some vendors issue emergency patches to address critical security vulnerabilities, so it is important to keep informed of what your system might require.</p> <h3>Develop an incident response plan</h3> <p>Include the processes, procedures and documentation related to how your organization detects, responds to and recovers from cyber attacks in your incident response plan. Have a plan specifically for <abbr title="operational technology">OT</abbr> and ensure the critical system components can operate safely in manual mode. Test and revise the plan periodically to ensure critical functions and operations continue in case of system disruptions or unexpected downtime.</p> <h3>Train your employees</h3> <p>Educate your employees on the importance of cyber security best practices, such as identifying phishing, using strong passphrases and reporting incidents as soon as they are detected. Have clearly defined standard operating procedures for security practices and acceptable use of process control systems that interface directly with control of systems and environments.</p> <h3>Monitor organizational activities</h3> <p>Collect, analyze and store records that are associated with user actions on information systems. Enable logging to better investigate issues or events. Monitor traffic at your Internet gateways and establish baselines of normal traffic patterns. Highly sophisticated threat actors may influence or coerce employees (for example, using social engineering, bribery, blackmail or intimidation) to help them compromise security. To guard against these actors, enhance your insider threat monitoring and consider implementing a two-person rule when performing critical administrative functions.</p> <p>For more security measures to consider, read the Cyber Centre’s <a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-sector cyber security readiness goals toolkit</a>.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Protect your organization from insider threats (ITSAP.10.003)</a></li> <li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a></li> </ul></div> </div> </div> </div> </div> </article>