Guidance, news and events

Suggested organizational security and privacy control and activity profile — Medium impact (ITSP.10.033-01)

2026-04-02T12:28:45Z

April 2026

Practitioner series

ITSP.10.033-01

April 2026 | Practitioner series

Alternate format: Cyber security and privacy risk management: A lifecycle approach - Suggested organizational security and privacy control and activity profile — Medium impact (ITSP.10.033-01) (PDF, 2.3 MB)

Foreword

Suggested organizational security and privacy control and activity profile — Medium impact (ITSP.10.033-01) is an UNCLASSIFIED publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). This publication supersedes Annex 4A – Profile 1 (PROTECTED B / Medium Integrity / Medium Availability). For more information or to suggest amendments, email or phone our Contact Centre: contact@cyber.gc.ca, (613) 949-7048 or 1-833-CYBER-88.

Effective date

This publication takes effect on April 2, 2026.

Revision history

First release: April 2, 2026

Overview

This publication is part of a series of guidelines published by the Canadian Centre for Cyber Security (the Cyber Centre) under Cyber security and privacy risk management: A lifecycle approach.

It suggests a selection of security and privacy controls, activities, and enhancements, together referred to as a “security and privacy control and activity profile.” Organizational security and privacy authorities can use this profile as a reference to create organization-specific profiles suitable for protecting the confidentiality, integrity and availability of medium-value organizational assets against non-state actors. This profile has been developed using the Security and privacy controls and assurance activities catalogue (ITSP.10.033).

The suggested controls and activities in this profile constitute a starting point and need to be tailored to the business, technical, and threat and risk context of each department’s business activities and supporting information systems. The controls and activities were selected based on industry and governmental security and privacy best practices. They also consider certain threat assumptions, derived from Cyber Centre’s analysis of the threat environment faced by information systems in the documented business context. This profile does not address sophisticated state actors’ capabilities, but the assumptions are described in more detail in Section 2.3 Threat context.

This profile is a tool to assist security and privacy practitioners in their efforts to protect information systems in compliance with applicable Government of Canada (GC) legislation and Treasury Board of Canada Secretariat (TBS) policies, directives and standards.

When developing their organizational security and privacy control and activity profiles, organizational security and privacy authorities are responsible for ensuring compliance with all security and privacy requirements of GC regulations and TBS policy instruments applicable to their business activities, as well with as any other contractual obligations.

Security and privacy controls and assurance activities catalogue (ITSP.10.033)

2026-03-31T18:28:12Z

March 2026

Practitioner series

ITSP.10.033

March 2026 | Practitioner series

Alternate format: Security and privacy controls and assurance activities catalogue - ITSP.10.033 (PDF, 4.5 MB)

List of figures

Figure 1: Control or activity structure

Cyber security and privacy risk management: A lifecycle approach

2026-03-31T18:16:57Z

This publication is part of a series of guidelines published by the Cyber Centre, under “Cyber security and privacy risk management: A lifecycle approach.” It contains definitions of assurance activities and controls for systems and organizations that practitioners can use as a foundation for selecting, tailoring and allocating controls and assurance activities to manage cyber security and privacy risks. Implementing a comprehensive set of security and privacy controls and assurance activities can help organizations achieve their business activities.

Security and privacy controls and assurance activities catalogue (ITSP.10.033)

EtherHiding: The trojan in your toolchain

2026-03-31T14:00:15Z

The Canadian Centre for Cyber Security (Cyber Centre) is actively tracking a campaign exploiting blockchain technology to covertly host and distribute malware. This campaign leverages a technique known as EtherHiding.

The Cyber Centre has compiled a detailed analysis derived from a recent investigation to help defenders combat attacks leveraging this technique. This analysis examines the evolution and use of the EtherHiding technique and provides an in-depth characterization of the threat actor’s techniques, along with critical mitigation and detection guidance.

Joint guidance on securing space and cyber security for low earth orbit satellite communications

2026-03-25T14:40:25Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Australian Space Agency (ASA) and the following international partners in releasing cyber security guidance on considerations for users of low earth orbit (LEO) satellite services:

New Zealand National Cyber Security Centre (NCSC-NZ)
United States’ National Security Agency (NSA)

The rapid expansion and increasing reliance on LEO satellite communication (SATCOM) systems have introduced significant cyber security challenges. As LEO satellite constellations grow, the attack surface for threat actors increases. This growth puts critical networks that depend on these satellite services at greater risk. Securing this infrastructure is essential to ensuring the resilience of commercial communications, national security systems and emergency response capabilities.

This joint guidance is intended for users of LEO SATCOM services. It highlights the key cyber security risks and mitigation strategies to support informed decision-making. It also provides organizations with a set of critical questions that they can ask in discussions about security with LEO SATCOM service providers.

Read the full joint guidance: Securing space – Cyber security for low earth orbit satellite communications

Top 10 artificial intelligence security actions: A primer - ITSAP.10.049

2026-03-05T16:56:13Z

March 2026

Awareness series

ITSAP.10.049

March 2026 | Awareness series

In an era of rapid advancements in artificial intelligence (AI), organizations face heightened security risks. Such risks include data theft, reputational harm, and operational and financial loss stemming from adversarial abuse of AI, attacks on AI systems or misuse of AI by business users.

The Canadian Centre for Cyber Security (Cyber Centre) plays a critical role in safeguarding Canadian organizations from these threats. Our top AI security actions are designed to help organizations of all sizes and sectors strengthen their cyber resilience. These recommended AI security actions support and strengthen our existing Top IT security actions (ITSM.10.089), rather than replace them.

By adopting AI-specific security actions, organizations can build more resilient AI-enabled infrastructures and processes. This will minimize the likelihood and impact of AI-related intrusions, misuse and system compromise.

Our top AI security actions are organized into the following 3 pillars:

Pillar 1: Protecting against adversarial use of AI
Pillar 2: Protecting AI Systems
Pillar 3: Protecting users and business processes

Given the speed at which AI solutions are being developed and adopted, we expect the risks and actions to evolve over the next 10 years. However, the 3 pillars are expected to remain the same for the foreseeable future, even as AI models and methods evolve.

Top of page

Pillar 1: Protecting against adversarial use of AI

This pillar provides actions for your organization to enhance your ability to protect your environment from the adversarial use of AI.

Action 1: Implement prompt injection and jailbreak mitigations

Sanitize inputs
Isolate system prompts and protect prompt history
Apply output filtering and policy gating
Restrict high risk tools and agents via role based access and identity controls
Validate downstream actions (files, code and tools) before execution
Quarantine anomalous outputs
Reduce access to private data by AI models
Limit exposure to untrusted content
Reduce the ability for AI systems to communicate externally (such as embedded data in markdown image URLs)

Why this action matters Action 1

Imagine that you’re chatting with a smart chatbot assistant, but a hacker finds a way to secretly slip in sneaky commands inside your questions. These commands trick the AI into doing things it shouldn’t do, such as running harmful computer commands.

This happened in 2025 with GitHub Copilot. Threat actors used a clever “prompt injection” to fool it into running dangerous code remotely. Microsoft quickly fixed it, showing us that spotting these hidden hacks early is key to keeping AI safe.^{Footnote 1}

Action 2: Defend against deepfake and impersonation

Deploy media authenticity checks and detection
Enforce strong identity verification and phishing-resistant multi-factor authentication (including meeting PINs) for conferencing and messaging
Train staff to verify unusual requests across channels
Implement out of band verification for sensitive actions
Implement abuse prevention for scams and social engineering at scale
Monitor for AI generated phishing and voice or video spoofs
Follow our Top 10 IT security actions (ITSM.10.089), including securing online accounts, to reduce hijacking and limit the impact of disinformation or false narratives
Set the default for all identify signals (such as voice and video) as untrusted until verified by your organization
Implement robust identity binding processes for higher risk business functions, such as finance, administrative privileges and access to sensitive information
Enforce identity risk scoring to AI when it’s used to launch or accelerate specific actions to determine the likelihood of compromise

Why this action matters Action 2

In early 2024, a British design and engineering firm lost millions of dollars/pounds when a threat actor used AI-powered deepfake technology to impersonate the company’s CFO. During a video call, they fooled an employee in Hong Kong into transferring funds to fake accounts. The money quickly vanished offshore.

In May 2025, a separate incident highlighted how a global advertising giant narrowly avoided a similar scam. In this case, a threat actor used deepfake video and audio of the CEO and senior executives in a Microsoft Teams meeting to try to trick employees into leaking confidential information and making payments.^{Footnote 2}

Action 3: Harden defences against AI powered cyber attacks and fraud

Upgrade analytics for high volume, automated probing and credential stuffing
Enforce rate limiting, bot detection and adaptive authentication
Adopt zero trust principles and best practices
Establish clear standards for data quality, code and documentation
Regularly refactor models and code as systems evolve
Ensure ongoing maintenance, automated testing and proactive code review
Continuously monitor to mitigate “technical debt” and improve long-term AI system reliability and adaptability
Train staff on AI threats and create tailored awareness programs which include:
- sharing intelligence reporting
- developing resilience by addressing known issues through employee upskilling and vulnerability disclosure

Why this action matters Action 3

Early in 2025, ransomware attacks exploded by almost 150%. A new trend has emerged where threat actors use AI to craft perfect phishing emails that appear to be from your boss or bank. AI-driven malware can shape-shift (called polymorphic malware), acting normally on your computer to avoid being spotted until it’s too late.

Ransom amounts have increased from hundreds of thousands to millions of dollars, while the level of effort for threat actors has gone down significantly.^{Footnote 3}

Top of page

Pillar 2: Protecting AI systems

This pillar provides actions for your organization to enhance your ability to protect AI systems.

Action 4: Conduct testing and red teaming of AI to identify modifications

Regularly evaluate models, pipelines and interfaces against known attacks (such as evasion, prompt injection and poisoning)
Update guardrails as exploits evolve
Prioritize vetted, signed and well-maintained models based on risk assessments
Apply timely patches and configuration updates
Develop recovery plans to provide options for faulty deployments
Implement disaster recovery and incident response plans for AI systems

Why this action matters Action 4

In July 2025, researchers found a critical data poisoning exploit in Microsoft 365 Copilot and similar retrieval-augmented generation (RAG) AI systems where threat actors injected poisoned documents to manipulate AI outputs persistently. This exploit showed the danger of insufficient continuous testing and updating of AI guardrails against evolving attacks.^{Footnote 4}

Action 5: Safeguard against data poisoning

Track data provenance
Curate versioned datasets
Harden training environments or use sandboxed architectures
Run anomaly and bias detection on ingested data (including mirrored or manipulated news or content sources)
Implement gate training and finetuning with approval workflows and model and data rollback plans
Ensue rigorous identity and access control measures are implemented across all parts of the data and operations chain

Why this action matters Action 5

In 2024, security researchers working with Wiz and Hugging Face uncovered a risk in which malicious actors could upload poisoned data to Hugging Face’s dataset repositories. This vulnerability threatened AI pipelines of multiple organizations using their models and data. It exposed weak tracking of data sources and lack of anomaly detection on ingested data.^{Footnote 5}

Action 6: Implement data usage controls and model theft prevention

Enforce “no train” defaults and strict data sharing controls
Implement vendor contractual clauses
Log and audit all models and data access
Monitor application programming interfaces (APIs) for extraction patterns (such as mass queries or label harvesting)
Prevent sensitive data leakage with data loss prevention and secret scrubbing

Why this action matters Action 6

Threat actors carry out model extraction attacks by querying a machine learning model extensively and using the responses to train a replica with similar functionality. Implementing defences like API rate limiting, authentication, query monitoring, model watermarking, and legal protections can prevent unauthorized model replication and data leakage.

Action 7: Secure AI engineering and supply chain processes

Implement and maintain an AI bill of materials (AIBOM)
Reduce “technology debt” when AI systems are deployed or advanced very quickly and without secure deployment controls
Ensure a strong foundational system, in accordance with Cyber security and privacy risk management series: A lifecycle approach (ITSP.10.033), is in place before layering AI systems on top of existing IT infrastructure
Keep AI applications up to date
Cryptographically sign models, code and artifacts or use hash-based validation as a start
Maintain an AI specific software bill of materials (SBOM) for models, datasets, and dependencies
Align with secure development frameworks (such as ITSP.10.033) and AI risk management standards including the:
- National Institute of Standards and Technology’s (NIST) Artificial Intelligence Risk Management Framework
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 42001:2023 Information technology — Artificial intelligence — Management system
Implement change control, reviews and dependency scanning

Why this action matters Action 7

In 2024, the NullBulge group conducted high-profile supply chain attacks on AI-related open-source repositories hosted on GitHub and Hugging Face. By injecting malicious Python payloads into widely used AI tools and dependencies, they were able to exfiltrate sensitive data and deploy ransomware into downstream systems.

This incident underscores the dangers of technology debt when AI solutions are rapidly adopted without robust security controls. The incident also demonstrates the urgent need for foundational secure engineering, cryptographically signed artifacts, comprehensive SBOMs, and adherence to recognized security frameworks.^{Footnote 6}

Top of page

Pillar 3: Protecting users and business processes

This pillar provides actions for your organization to enhance your ability to protect users and business processes.

Action 8: Enforce data privacy, vendor and contractual controls

Classify and minimize personally identifiable information (PII) in prompts
Encrypt data in transit and at rest
Apply data loss prevention, access controls and retention limits
Require transparency, audit rights, liability and use restrictions (for intellectual property and copyright issues)
Support the labelling of generative AI content to improve transparency
Map and identify sanctioned and unsanctioned models operating on a network
Implement policies, process and tools to govern the use of “shadow AI”
Create an internal business policy for the acceptable use of AI tools
Apply allow and deny lists for AI solutions
Draft procurement clauses for vendors of AI-generated tools or solutions to protect against reputational harm

To meet regulatory expectations and manage vendor risk, contracts with AI vendors should include explicit data usage, privacy, audit, and liability clauses. These clauses should include:

prohibiting unauthorized use of organizational data for model training
ensuring encryption and access controls for all PII
requiring vendor transparency and audit rights
embedding usage restrictions and liability terms to protect against data leakage, unauthorized reuse, and reputational or legal harm

Why this action matters Action 8

Internal policies, including lists of approved AI tools and shadow AI controls, ensure AI tools are used safely and in compliance with privacy laws and contractual obligations.

Action 9: Ensure that human-in-the-loop oversight and execution controls are in place

Embed human checkpoints in automated and multi‑agent workflows
Provide explainability tools and auditable decision trails
Implement escalation, triage, rate limits and kill‑switches or emergency shutdown procedures for high‑impact actions

Why this action matters Action 9

In 2025, an HR technology company faced reputational damage and legal scrutiny after removing human review from its AI-driven candidate screening process. The lack of human oversight allowed unchecked algorithmic bias to influence hiring decisions. In response, the organization reinstated human-in-the-loop controls, added execution checks, and established auditable decision trails to ensure all AI-driven outcomes are monitored and can be corrected by human reviewers.^{Footnote 7}

Action 10: Maintain operational resilience against model drift, hallucinations, bias and overreliance

Continuously monitor for drift and performance degradation
Retrain or retire models that exceed validated bounds
Continuously monitor for AI decision transparency to enable better understanding of model decisions and outputs
Add truth checking and human review for critical outputs
Test for bias and misuse
Maintain fallback procedures and user training to avoid overreliance
Require human review to prevent introduction of made-up components and containers for software code that could be appropriated by a threat actor
Implement detection measures and retraining thresholds

Why this action matters Action 10

Financial regulators, including Canada’s Office of the Superintendent of Financial Institutions (OSFI), have identified AI model risk as a growing supervisory concern, particularly risks arising from data quality issues, model drift, lack of transparency, bias, and overreliance on automated outputs. OSFI has warned that poorly governed AI systems can produce unreliable or unexpected results, potentially leading to operational disruption, financial loss, legal exposure, and reputational harm if not actively monitored and controlled.

As AI models evolve over time and conditions change, maintaining operational resilience requires continuous performance monitoring, explainability, human oversight for critical decisions, and clear fallback procedures to ensure AI systems remain within validated and acceptable risk boundaries.^{Footnote 8}

Top of page

Joint guidance on supply chain risks and mitigations for artificial intelligence and machine learning

2026-03-05T15:05:25Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the following international partners in releasing cyber security guidance on supply chain risks and mitigations for artificial intelligence (AI) and machine learning (ML):

Japan’s National Cybersecurity Office (NCO)
New Zealand National Cyber Security Centre (NCSC-NZ)
Republic of Korea’s National Intelligence Service (NIS)
Singapore’s Cyber Security Agency (CSA)
United Kingdom’s National Cyber Security Centre (NCSC-UK)
United States’ National Security Agency (NSA)

AI and ML systems allow organizations to improve their efficiency in various ways, including by making informed decisions, streamlining processes and improving customer experience.

If not securely managed, adopting AI or ML systems and using pre-trained models and third-party data sets can introduce unique supply chain risks and expose your organization to existing vulnerabilities and compromises. Organizations should know what to look out for when developing or incorporating AI and ML into their systems.

This joint guidance is intended for organizations and staff that deploy or develop AI or ML systems and components. The risks and mitigation in this joint guidance should inform organizations’ questions and requirements for vendors when sourcing third-party AI or ML systems and components. It aims to highlight the importance of AI and ML supply chain security and address key risks and mitigations that should be considered when developing or procuring an AI system.

Consult the full joint guidance: Artificial intelligence and machine learning – Supply chain risks and mitigations

Cyber threat bulletin: Iranian Cyber Threat Response to US/Israel strikes, February 2026

2026-03-02T15:28:10Z

Overview

On February 28, 2026, the United States (U.S.) and the State of Israel (Israel) launched military strikes against the Islamic Republic of Iran (Iran) to eliminate threats from the Iranian regime.^{Footnote 1} Iran retaliated with military strikes against Israel and U.S. military bases across the Middle East.^{Footnote 2}

On February 28, 2026, the Government of Canada released a statement supporting the United States acting to prevent Iran from obtaining a nuclear weapon and to prevent its regime from further threatening international peace and security.^{Footnote 3}

Iran will very likely use its cyber program to respond to the joint U.S. and Israel combat operations against Iran. Possible responses by Iranian cyber threat actors include:

Cyber attacks against critical infrastructure;
Cyber-enabled information operations;
Online harassment of military personnel; and
Harassment and repression of diaspora and activist communities.

Canadian critical infrastructure operators and other possible targeted entities should remain vigilant to threats posed by cyber actors aligned with Iranian interests.

Iran uses cyber program to retaliate, achieve geopolitical goals

Iranian state-sponsored cyber threat actors conduct disruptive cyber-enabled information operations to further Iran’s geopolitical objectives and the regime’s interests. Iran has developed a network of hacktivist personas and social media channels to intimidate Iran’s opponents and shape public opinion.^{Footnote 4}
Iranian state-sponsored cyber threat actors opportunistically target poorly secured critical infrastructure (CI) networks and internet-connected devices around the world, including those associated with the water and energy sectors.^{Footnote 5} Iranian cyber threat actors have performed denial of services attacks, attempted to manipulate industrial control systems, and accessed networks to encrypt, wipe, and leak data.^{Footnote 6}
Pro-Iran hacktivists conduct cyber threat activity against Iran’s rivals, but often overstate their impact. In response to the U.S. airstrikes on Iranian nuclear sites in 2025, pro-Iran hacktivist groups claimed to have conducted distributed denial-of-service (DDoS) attacks against websites associated with the U.S. military, U.S. defence companies and U.S. financial institutions.^{Footnote 7} Pro-Iran hacktivists will likely view Canada as a target for low-sophistication disruptive cyber activity due to Canada’s public support of the US/Israel military activity.
Iranian state-sponsored cyber threat actors likely conduct cyber espionage against individuals in Canada that the Iranian regime considers a threat, such as political activists, journalists, and human rights advocates.^{Footnote 4} We assess that Iranian cyber threat actors will likely target opponents abroad, especially those advocating for regime change in Iran.^{Footnote 8}

Top of page

Characteristics of Iranian cyber threat activity

Compelling social engineering

Iranian cyber threat groups are particularly sophisticated in combining social engineering with spear phishing, using these efforts to target public officials and gain access to government networks and private sector organizations globally.^{Footnote 9}

Iranian social engineering efforts focus on using professional interactions on social media platforms to gain information about organizations related to Iran’s political, economic and military interests, particularly in the aerospace, energy, defence, security, and telecommunications sectors.^{Footnote 9}

Exploiting known vulnerabilities

Iranian cyber threat actors exploit known vulnerabilities to gain initial access to systems, and then leverage this access for follow on operations such as data exfiltration or encryption, ransomware, and extortion.^{Footnote 10}

Iranian cyber threat actors opportunistically identify targets using publicly available scanning tools to search for internet-exposed systems with vulnerable configurations, for example devices using default or weak passwords and without multi-factor authentication.^{Footnote 11}

Disruptive and destructive cyber attacks

Iranian cyber threat actors typically conduct DDoS attacks and website / device defacements to temporarily disrupt target networks. They also deploy ransomware and destructive wiper malware and conduct hack-and-leak operations against compromised targets.^{Footnote 12}

Top of page

Useful resources

Refer to the following online resources for more information and useful advice and guidance.

Reports and advisories

Canada’s threat assessments
- National Cyber Threat Assessment 2025-2026
Advisories and partner publications

Advice and guidance

Top of page

About this document

Contact

For follow-up questions or issues, contact the Cyber Centre at contact@cyber.gc.ca.

Assessment base and methodology

The key judgements in this assessment rely on reporting from multiples sources, both classified and unclassified. The judgements are based on the Canadian Centre for Cyber Security (Cyber Centre)’s knowledge and expertise in cyber security. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. CSE’s foreign intelligence mandate provides us with valuable insight into adversary behavior in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.

Our key judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely”, and “very likely” to convey probability.

The contents of this document are based on information available as of February 28, 2026.

Estimative language

Long description - Estimative language chart

Joint guidance on malicious cyber threats to SD-WAN networks

2026-02-25T16:10:24Z

Malicious cyber threat actors are targeting Software-Defined Wide Area Networks (SD-WAN) networks used by organizations globally. The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), and international partners strongly encourage immediate action to ensure SD-WANs are patched, hardened and investigated for potential compromise.

Consult the following for additional information and recommendations:

The Cyber Centre is monitoring the situation and can provide assistance and advice as required. If you believe your organization has been impacted or requires assistance, contact us by email at contact@cyber.gc.ca or by phone at 613-949-7048 or 1‑833‑CYBER‑88.

Quote

We urge Canadian organizations and their network defenders to heed this warning, use the hunt guide, and patch. These malicious cyber threat actors are targeting organizations globally. Vigilance and immediate action will help us all harden our defences to get ahead of this threat.
Rajiv Gupta, Head of the Canadian Centre for Cyber Security

Background

The Cyber Centre has joined ACSC and the following other international partners in releasing guidance alerting of malicious cyber threat actors targeting SD-WAN networks used by organizations globally:

New Zealand National Cyber Security Centre (NCSC-NZ)
United Kingdom National Cyber Security Centre (NCSC-UK)
United States National Security Agency (NSA)
United States Cybersecurity and Infrastructure Security Agency (CISA)

Threat actors have been observed using CVE-2026-20127 to add a malicious rogue peer. They have then conducted a range of follow-on actions to achieve root access and maintain persistent, long-term access to SD-WAN networks.

ACSC’s hunt guide (PDF) has been prepared based on observations from various investigations and details the tactics, techniques and procedures (TTPs) leveraged by these malicious actors. The hunt guide aims to support network owners and defenders to conduct detection and threat hunting activities and provides mitigation guidance to reduce the risk from the observed TTPs.

Mitigation advice

The authoring agencies strongly urge network defenders to ensure SD-WANs are fully patched (including for CVE-2026-20127) and to hunt for evidence of compromise detailed in the hunt guide. The guidance also urges organizations to review and implement Cisco's SD-WAN hardening guidance.

To reduce the risks to your networks, Cisco’s SD-WAN hardening guidance should be reviewed in full. It includes advice on the following:

Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 interfaces, and use IP blocks for manually provisioned edge IPs
SD-WAN manager access: Replace the self-signed certificate for the web user interface
Control and data plane security: Use pairwise keying
Session timeout: Limit to the shortest period possible
Logging: Forward to a remote syslog server

Additional resources

For more information on vulnerabilities, visit our Alerts and advisories page.

For best practices, visit our Cyber security guidance page.

CSE calls on Canadian organizations and critical infrastructure providers to strengthen defences on fourth anniversary of Russia’s invasion of Ukraine

2026-02-20T19:06:58Z

The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) are urging Canadian organizations to stay vigilant and strengthen their defences against malicious cyber threats as the four-year mark of Russia's full-scale invasion of Ukraine approaches.

Over the past four years, the Cyber Centre has observed pro-Russia cyber actors targeting countries, including Canada, that support Ukraine. These activities have affected government and military agencies, private and public sector organizations, and critical infrastructure networks in Canada. Russian cyber threat actors have also attempted to disrupt services to Canadians by targeting cloud-based platforms, supply chains, and Internet-facing systems, including through distributed denial of service (DDoS) attacks.

As we previously reported, we continue to see ideologically motivated, pro-Russia non-state cyber groups conducting malicious activity against perceived enemies. These groups are generally less sophisticated than state-sponsored actors but act independently, leading to unpredictability and a higher tolerance for risk.

Canadian organizations and critical infrastructure operators should remain vigilant to threats posed by cyber actors aligned with Russian interests and prepare for potential service disruptions, website defacement and increased ransomware activity. Operators of Internet-connected operational technology (OT) devices should remain alert, as these systems are easily discoverable and vulnerable to cyber threats.

We urge all Canadian organizations to implement appropriate measures now to defend against threats from Russian-aligned cyber actors.

Recommended actions

Adopt the Cyber Centre's Cross-Sector Cyber Security Readiness Goals
Follow the Cyber Centre's guidance on:
Consult the Cyber Centre's top 10 security actions to protect Internet-connected networks and information with special attention to:
- Consolidating, monitoring and defending Internet gateways
- Segmenting information
- Isolating web-facing applications
Review joint guidance on:
Consult the Cyber Centre's backgrounder on malicious cyber activity targeting Canadian critical infrastructure and security considerations for critical infrastructure, focusing on:
- Isolating components, services and systems
- Maintaining and testing offline backups
- Developing an incident response plan
- Monitoring IT and OT environments and enabling logging
Take note of the Cyber Centre's alert on Internet-accessible industrial control systems abused by hacktivists
Review perimeter network systems for signs of suspicious activity
Report cyber incidents to the Cyber Centre

The Cyber Centre continues to share cyber threat information with Canadian critical infrastructure and government partners via protected channels throughout the year. We actively monitor the cyber threat environment in Canada and globally. Canadian organizations that believe they may have been targeted by cyber threat activity should contact the Cyber Centre by email at contact@cyber.gc.ca or by phone at 1-833-CYBER-88.

Related resources

Security considerations for SIMs (ITSAP.10.021)

2026-02-16T18:56:46Z

February 2026

Awareness series

ITSAP.10.021

February 2026 | Awareness series

A subscriber identity module (SIM) card is an electronic chip that stores mobile network user information, such as your phone number and authentication key used to grant access to the cellular network. A SIM card is also referred to as a universal integrated circuit chip (UICC), which is the modern day version of the original SIM card. Although the UICC is the technical term, it continues to be referred to as the SIM card.

Because of the information they store, SIMs can be valuable targets for threat actors. This publication aims to help you understand the main threat, known as SIM swapping, and provide you with recommendations to better protect yourself.

Difference between a SIM card and an eSIM

A SIM card is a physical card inserted into a device. It uses information stored within it to identify and authenticate the user on a mobile network. An embedded SIM (eSIM) is a non-removable electronic chip integrated into the device, making it easy to configure and activate remotely. An eSIM is capable of storing several SIM profiles at once.

Considerations for eSIMs

Providers are increasingly offering eSIMs as a format due to convenience. However, there are risks associated with them. eSIMs can make it easier for threat actors to:

compromise and gain access to your mobile accounts
conduct social engineering and remote attacks, as they can be digitally generated and electronically transferred
compromise multiple profiles at a time
leverage malicious software through arbitrary code execution

SIM swapping

SIM swapping is an attack against your mobile phone account that transfers your phone number to a threat actor’s SIM card or eSIM without your knowledge or permission. Some other common terms used for SIM swapping include SIM jacking, SIM napping and SIM porting.

If a threat actor is successful with a SIM swapping attack, they can use their device to control communications meant for you, including through impersonation. This scam is also used to access other accounts, such as your bank account, that might use your phone number as a method to verify your identity.

How SIM swapping happens

Threat actors leverage the following methods to conduct SIM swapping attacks.

Calling your provider

Threat actors attempt SIM swapping using a similar process that providers follow when they transfer a user’s phone number from their old device to a new one during an upgrade. Threat actors can try to transfer a victim’s phone number to their own device by calling the mobile network provider and fraudulently impersonate the victim. They can bypass common security questions used to verify your identity by researching the personal information you’ve shared online.

Stealing your credentials

Threat actors can also try to access your mobile account details on the provider’s website to initiate and authorize a SIM swap. They use credential stuffing, where criminals use stolen usernames and passwords, or collect personal information that has been shared online and on social media to answer security questions during account authentication.

Exploiting insider access

SIM swapping can occur due to insider threat. Employees and other insiders with internal access to a mobile service provider can falsely authorize changes to customer accounts and sell swapped SIMs.

Consequences of SIM swapping

If you are a victim of SIM swapping, a threat actor will receive your phone calls, messages and notifications on their device. Since mobile devices are often used as an authentication measure, a threat actor can impersonate you and gain access to your accounts and information, putting both you and your organization at risk.

Individual risks

As an individual, being a victim of SIM swapping possesses several risks. A threat actor can:

change and steal other account credentials
prevent you from accessing and managing your accounts
steal your money and financial information
control and handle information managed through personal accounts
impersonate you to spread the scam to your contacts

Organizational risks

Depending on your organization’s posture on device-use (for example, company-owned or personal devices) and remote work, it is important to evaluate the level of sensitivity of the data being handled. If threat actors compromise a mobile service that handles your organization’s information, they can:

impersonate the individual behind the account
spread phishing scams and malware to other accounts and devices
gain access to sensitive and confidential information
compromise systems and processes
damage your business’ reputation and trust with customers and partners

The signs of SIM swapping

There are signs you can look out for that signify that a threat actor may be trying to or has swapped your SIM. These include:

abnormal reduction in messages on your device
lack of verification messages when using multi-factor authentication (MFA)
phishing messages asking to verify your account with a PIN or clicking a link to login
messages indicating activity on your account that you don’t remember
changes to account information you did not make
losing access to online accounts (for example, banking, email and social media)
transactions on accounts that are unknown
disconnection from cellular network

If your SIM has been successfully swapped, you will lose cellular service as well as Wi-Fi calling capabilities. It is important to note that being connected to Wi-Fi can keep your data connection active. If you switch between cellular service and Wi-Fi automatically and frequently, you may not immediately recognize when your SIM is compromised.

How to protect your SIM

It is important to take preventative security measures to reduce the risks of being a victim of SIM swapping. The best ways to protect yourself from SIM swapping include:

using any additional verification requirements your mobile provider offers to help protect your account
requesting your mobile provider to enable port protection or a SIM lock on your accounts, if available
enabling MFA that includes methods other than those that rely on your phone number (for example, a PIN, biometric or authentication app)
keeping sensitive information related to account security questions private (for example, date of birth, home address and mother’s maiden name)
using separate and unique email addresses for financial accounts and social media
creating different passwords and passphrases for each of your accounts
keeping up with your provider’s security advisories and Cyber Centre guidance and alerts

Organization-specific security measures

Alongside the security measures mentioned, there are some specific security practices your company should consider to help prevent SIM swapping.

Have a clear device usage policy for what data can be handled on certain devices
Enforce cellular contracts for company-owned devices that prohibit account migration without your organization’s approval
Implement mandatory maintenance sessions for company-owned devices
Use authenticator applications that generate one-time passcodes for MFA rather than verification measures connected to the phone number (for example, text message and phone call)
Deploy hardware security keys to secure and authenticate highly sensitive accounts if necessary
Classify and label data according to sensitivity levels and clearly establish how data belonging to each level should be handled
Offer cyber security training

Learn more

GeekWeek 11

2026-02-13T13:56:36Z

GeekWeek provides an opportunity for participants to take few days away from their day-to-day and work with public sector, industry, critical infrastructure and international partners to explore innovative ideas in the cyber security space.

Venue

Canadian Centre for Cyber Security
1625 Vanier Parkway, Ottawa
ON K1L 7P1

May 27 to June 5, 2026

If you’re interested in future Geek events, reach out to contact@cyber.gc.ca.

Given the technical nature of the workshop, GeekWeek is an invitation-only event.

To be confirmed.

The following topics and themes have been proposed for GeekWeek 11.

Cyber physical systems

The cyber threat to marine transportation

2026-02-12T15:03:18Z

Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140

2026-01-29T14:32:45Z

January 2026

Management series

ITSM.00.140

January 2026 | Management series

Alternate format: Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140 (PDF, 506 KB)

Foreword

This is an UNCLASSIFIED publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information, please email or phone our Contact Centre:

email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88

Effective date

This publication takes effect on January 29, 2026.

Revision history

First release: January 29, 2026

Overview

Organizing and sharing information during a cyber incident involves a structured approach that ensures the effective communication of relevant details to the Canadian Centre for Cyber Security (Cyber Centre). The purpose of this publication is to clarify the types of information the Cyber Centre considers “actionable.”

Spotting malicious email messages (ITSAP.00.100)

2026-01-28T18:26:13Z

January 2026

Awareness series

ITSAP.00.100

January 2026 | Awareness series

Email is a convenient communication tool for individuals and organizations. It provides an easy way to exchange documents, images, links and various files. However, threat actors can use email for malicious purposes. They frequently target organizations and their networks to steal information. Threat actors are technologically savvy, conscious of vulnerability and aggressively agile. A successful intrusion can quickly lead to data and privacy breaches.

As an employee, you may have access to sensitive corporate information, which can make you a target. You should be wary of malicious emails, which threat actors use to infect devices and systems to access information. Knowing how to spot malicious emails and phishing attempts can help protect your organization's information and networks.

How threat actors use malicious emails

Threat actors use malicious emails to conduct a variety of malicious activities, including to:

steal your sign-in details or credentials
spread malware, including viruses, ransomware and spyware, to infect your device or spread to other devices on your network
steal your information, corrupt or damage your files

Phishing attacks

Phishing is the act of sending fraudulent communications that appear to be legitimate. Phishing emails often contain malicious attachments or links to malicious websites. Threat actors carry out phishing attacks to trick you into disclosing sensitive information, such as credit card numbers, social insurance numbers or banking credentials. Phishing attacks can take the form of emails, texts or phone calls, but this publication focuses on malicious emails.

Threat actors can be highly skilled at creating emails that look legitimate. These emails may contain company logos or trademark information. The subject lines are relevant, and the messages are pertinent. Given our desire to trust and the sheer number of emails we receive daily, it can be easy to believe the content we read in these emails, click on embedded links, or open attachments. However, the attachments may contain malicious software, and the links may direct you to malicious websites.

Some types of malware can scan your contacts and automatically send an infected message to everyone on your contact list. Even if an email comes from someone you know, you should always think twice before clicking links or opening attachments. Configuring your email to preview emails, access links and open attachments could inadvertently allow a threat actor to:

remotely access sensitive device information
execute malware
use your device as a foothold to access other network resources

Phishing emails come in various forms. Common methods include:

Spear-phishing: A threat actor sends emails to specific targets, such as an individual, a group or an organization. A spear-phishing email is crafted using the recipient's personal or professional characteristics and interests. Threat actors often use publicly available information from the individual's social media accounts. Spear-phishing emails require more effort from threat actors, but recipients are more likely to respond to the email, open attachments or click on links.
Whaling: A threat actor sends emails to high-profile individuals or senior executives. They create targeted and convincing emails by using personal information about the individual or the organization they work for. Threat actors may use publicly available information from the organization's website or social media accounts.
Quishing: A phishing attack using malicious "quick response" (QR) codes in emails that re-directs you to a malicious website when the QR code is scanned. Check the website URL to make sure it is the intended site.

Remember, no one is immune. Although anyone can be the target of phishing attacks, the following individuals are more commonly targeted:

senior executives and their assistants
helpdesk staff
system administrators
users who have access to sensitive information
users who have remote access
users whose jobs involve interacting with members of the public

Top of page

How to spot malicious emails

Threat actors will try to make malicious emails look legitimate. As such, it is important to know how to spot a potentially dangerous one.

Verify the sender's email address to confirm it matches the official address of the organization or individual they claim to be. Know how the organizations and businesses you interact with typically contact you and what type of information they may ask for. For example, a bank should never send links to online banking and ask you to login. You should always access your banking platform through its official app or website.

Malicious emails can be difficult to identify, but there are some clues that can help you:

an unfamiliar or misspelled name or email address of the sender
an invalid username or domain name in a sender's email address
altered or unprofessional company logos
generic or odd greetings
poor grammar or spelling
urgent tone and direction to act quickly
urgent messages about current "hot-button" issues related to personal or political causes, major domestic or international events or crises, or organizational challenges
unusual requests (for example, most companies do not ask for sensitive or personal information in an email or insist that you collect a package or pay an overdue invoice)

Keep in mind that malicious emails may not always contain telltale poor grammar or spelling, particularly if they were created using generative artificial intelligence (AI) tools.

Always be suspicious of unsolicited emails requesting personal or confidential data. Take proactive steps to verify their legitimacy before responding or supplying any information. If you receive an email requesting personal information, search for the organization's official website and contact them using the phone number provided. This way, you can confirm if the request is genuine.

How to protect against malicious emails

You can protect yourself and your organization from malicious emails by implementing the following best practices.

Handle suspicious emails with care

When in doubt, avoid opening suspicious emails and contact the sender by another means (for example, by phone) to confirm they contacted you.

Do not click on links, attachments or QR codes in emails

If you are being asked to log into an account for an unsolicited reason, do not click the link, do not open attached files and avoid scanning QR codes. Instead, visit the organization's website by manually entering the URL in your web browser or by searching through a search engine.

Report suspicious emails

If you receive a suspicious email or suspect malicious activity on a work device or a work account, report the incident to your organization's IT and security teams. Follow their instructions and do not forward the email to coworkers. You can also report phishing emails to the Cyber Centre or the Canadian Anti-Fraud Centre.

Use email filters to block malicious content and spam

Many email programs offer filtering capabilities that allow you to block certain addresses or only accept email from addresses in your contact list. Be careful who you share your email address with, and do not sign up for every mailing list and rewards program offered by retailers. Some businesses will sell your email address to third parties. You can create disposable or "dummy" email addresses to reduce spam. Many online email services also allow you to create email aliases that can be directed to a specific email folder instead of your main inbox.

Delete items in your junk folder

Many email platforms let you configure settings to automatically empty your junk folder after a set number of days. If you choose to do so, you should still check your junk folder so that you do not miss potentially important messages.

Set up client portals

If your organization requires clients to frequently provide information or documents, set up an online client portal to safely collect them This way, employees will not have to question every email attachment they receive.

Establish clear policies

Your organization should define clear policies on configuration settings and AI use to limit the risk of malicious email messages. These should include:

installing and properly configuring a firewall and anti-malware software
configuring a protective domain name system (DNS) on your devices, modems and routers
enabling a software allowed list and regularly updating all software
implementing quarantine functions in your organization's anti-malware software
using trusted and reputable AI detector tools to verify whether content is human or AI-generated
omitting sensitive information when using AI tools

Additional best practices

Use secure messaging portals instead of email for communicating your personal information
Use bookmarks or a search engine to access websites rather than clicking on links
Be suspicious of emails that are not addressed directly to you or do not use your correct name or salutation
Do not open attachments or links from an unknown sender or if they have strange file names or multiple file extensions
Configure your office suite to prevent macros from running without confirmation or to not run macros from email messages
Deactivate automatic downloads and execution of attachments and images
Configure your inbox to not load external images to mitigate the risk of tracking pixels (embedded codes in logos or images that can track your location and behaviour)

Top of page

How to handle malicious emails

If you receive an offensive, abusive or potentially criminal message, inform your local police. Save the message as authorities may ask you to provide a copy to help with any subsequent investigations. Do not send the message to anyone else.

If you accidently interact with a malicious email, remain calm and take the following actions:

Stop using your device
Disable Wi-Fi or disconnect network cables so the device cannot communicate with the Internet
Power off the device
Contact your IT security department if you are using a corporate device. They can disable accounts and other device features
Change your password, passphrase, or PIN using a different device
Scan the device using anti-malware software if possible
Restore network connections only when you believe you have a clean system
Perform any available updates and security patches on your device
Monitor your accounts regularly for suspicious activity

Learn more

Top of page

Ransomware: How to prevent and recover (ITSAP.00.099)

2026-01-28T18:16:57Z

January 2026

Awareness series

ITSAP.00.099

January 2026 | Awareness series

Ransomware is a type of malware that denies a victim access to a system or data until they pay a sum of money. When ransomware infects a device, it renders the system unusable or encrypts its storage, preventing access to the information and systems. Threat actors have evolved their tactics and often leverage data theft as the primary method of extortion.

Threat actors can exploit vulnerabilities and leverage many attack vectors to infect your network, systems, and devices with ransomware. Regardless of skill, this can be done by using malicious code and services purchased from the dark web. This is known as ransomware-as-a-service. Additionally, threat actors can use artificial intelligence tools to write effective ransomware. This automates the discovery of weak points in a network, bypassing defences, deploying malware and erasing evidence of the intrusion.

This publication provides tips to help your organization prepare for and recover from ransomware attacks.

How ransomware infects devices

Threat actors can use a compromised device to spread the ransomware to other connected systems and devices on the same network. Ransomware can infect devices when users:

open legitimate-looking but malicious attachments in messages
click on malicious links or attachments embedded in websites
open personalized and targeted content in phishing emails, texts and social media

Threat actors shape their malicious content by scouting social and professional contacts for information they can exfiltrate. They may also monitor communication habits before deploying the ransomware.

If a device is infected with ransomware, you will receive a ransom notice on your screen indicating your files have been encrypted and are inaccessible until the ransom is paid. Cybercriminals often request payment in the form of cryptocurrency because of the anonymity it provides. Cryptocurrency enables cybercriminals to move profits internationally, expanding their reach and complicating law enforcement efforts. Other ransom payment methods often include prepaid credit or gift cards. Threat actors typically give a deadline for paying the ransom, after which they may increase the ransom amount, destroy your files or leak your data.

Top of page

How to prepare your organization

There are several approaches you can take to better protect your networks, systems and devices. The following is a list of actions you can take to strengthen your cyber security.

Plan ahead

Developing an incident response plan for your organization is the cornerstone to your cyber defence strategy. An incident response plan helps you detect and respond to cyber security incidents. Your organization should consider major events that could cause an unplanned outage and require you to activate your incident response.

It should include a risk assessment, backup, recovery and communications plans. It should also designate roles for your employees and provide them with detailed instructions in the event of an incident. Your plan should be available offline in the event your systems are unavailable. Additionally, your organization should develop and frequently test a business continuity and disaster recovery plan.

Prepare for recovery

Once an incident has been contained or resolved, your organization should have a recovery plan in place, which should be tested by conducting simulations or walk-through exercises. The scenarios should test the effectiveness of your response and highlight areas for improvement.

Back up your data

Having reliable backups can significantly enhance your ability to recover from a ransomware attack. A backup is a copy of your data and systems that can be restored and provides access to your critical systems in the event of an incident. You should back up your data frequently to ensure it is as close to real time as possible. Create many security barriers between your production systems and your backups. Ensure your backups are encrypted and stored offline without connection to the Internet or local networks. If your backups are connected to your networks, threat actors can infect them, which will hinder your recovery efforts. Testing your backup process is also crucial to a quick and effective recovery.

Provide security awareness training for employees

Provide employees with tailored, continuous training on cyber security and device management. This will ensure they don't fall victim to malicious activities such as phishing emails and infected downloads. To learn more about cyber security event management training, consult the Cyber Centre Learning Hub. The Learning Hub offers a comprehensive event management course that can be tailored to your organization's business and information technology (IT) needs.

Offer tailored cyber security training to your employees (ITSAP.10.093)

Consider cyber insurance

Research insurance providers and policy details to determine whether cyber insurance would benefit your organization. An insurance policy may add an additional layer of protection and provide your organization with incident response expertise in the event of a ransomware attack. However, you should make sure insurance policy documents are properly protected in both of your systems. If not, sophisticated ransomware actors could obtain sensitive information on coverage amounts and leverage it in ransom negotiations. Be aware that insurance companies may deny coverage if they deem that your organization did not have adequate cyber security measures in place.

Top of page

How to protect your organization

Ransomware is among the most common type of malware and can be one of the most damaging cyber attacks to your organization. Use the following guidance to protect your organization from ransomware attacks.

Enforce strong authentication methods

Activate phishing-resistant multi-factor authentication (MFA) and use strong and unique passphrases or passwords on all devices and for every account.

In addition to using MFA, you should encourage employees to use a password manager. Password managers can help users remember and secure passwords or passphrases. Your organization should also consider implementing password vaults for administrative accounts. Password vaults provide greater protection as the passwords or passphrases are cycled and synchronized with your systems.

Implement the principle of least privilege

Applying the principle of least privilege can help you manage and monitor user accounts and access. Provide employees with access to only the functions and privileges necessary to complete their tasks. One way to accomplish this is to implement role-based access control which maps users' access rights to their role within the organization.

Restrict administrative privileges

You should limit the number of administrative or privileged users for operating systems and applications. Users should never have privileged access on their desktop or laptop systems. Users with administrative privileges should have a separate administrative account with separate credentials, regardless of whether your organization has a cloud, on-premises or hybrid environment.

You should also create different levels of administrative accounts to limit the level of exposure if an administrative account is compromised. In addition, you should Implement required confirmation for any actions that need elevated permissions.

Managing and controlling administrative privileges (ITSAP.10.094)

Update and patch systems and devices

Check for updates and patches to improve usability and performance and repair known bugs and vulnerabilities in your software, firmware and operating systems. Threat actors can easily exploit unpatched or unsupported systems and devices.

How updates secure your device (ITSAP.10.096)

Deactivate macros

Ensure you deactivate macros as your default to reduce the risk of ransomware being spread through Microsoft Office attachments. Newer versions of Microsoft Office will deactivate macros from the Internet by default.

How to protect your organization from malicious macros (ITSAP.00.200)

Segment networks

Divide your network into several smaller components. This makes it more difficult for ransomware to spread across the entire network. Your organization should have an inventory of its essential business information that is classified and categorized based on its level of sensitivity or privacy impact. Segment and group infrastructure services that have the same information protection requirements or that must adhere to the same communications security policies.

Action no. 5 segment and separate information (ITSM.10.092)

Set up security tools

Install antimalware and antivirus software on your devices to detect malicious activity and secure your network with a firewall to protect connected devices. Consider installing domain name system (DNS) filtering on your mobile devices to block malicious websites and filter harmful content. The Canadian Internet Registration Authority offers a free protective DNS service, Canadian Shield, that prevents you from connecting to malicious websites that may infect your devices or steal personal information.

Implement Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication and reporting protocol that helps protect your organization's domains from spoofing, phishing and other malicious activities.

Ensure users access your network using your virtual private network (VPN). A VPN creates a secure connection between 2 points and can be used to protect sensitive data while it is in transit.

Seek professional cyber security assistance

Engaging with a cyber security professional early on may allow you to recover your systems and data more quickly than relying on your internal IT staff when facing a cyber incident.

How to recover from a ransomware attack

Consider the following steps to help remove and reduce the spread of ransomware.

Isolate the devices immediately

Take your devices offline to stop the ransomware from spreading to other connected devices. We recommend you do not power down the device once it's isolated. This allows forensic evidence to be preserved.

Some ransomware strains are designed to stay dormant on a device and quietly spread to other network‑connected devices before encrypting files. In these cases, you may not be able to stop the ransomware from spreading.

Report the incident

Consider reporting cyber incidents to law enforcement, such as local police or the Canadian Anti-Fraud Centre, as well as to the Cyber Centre online through My Cyber Portal

If you are comfortable doing so, share your findings, including the tools, techniques and procedures used by the threat actor, with the Cyber Centre

Communicate the incident to the employees listed in your incident response plan and give them clear direction as to their roles and responsibilities to help manage the incident. This should already be defined within your recovery plan.

Change passphrases

Reset credentials including passphrases on all systems, devices and accounts. Threat actors often save this information for future attacks.

Identify the type of ransomware

Use the information in the ransom note (such as listed URLs) and the new file extensions your encrypted files inherited to research possible reoccurring attacks and identify the ransomware. This information will also be useful for law enforcement and/or your contracted managed security service if you have one.

If you locate a decryption tool online, or if law enforcement can provide you with one, proceed to remediation.

If there is no decryption tool available online for your strain of ransomware, sanitize your device and reinstall the operating system if law enforcement or a managed security service is not involved.

Sanitization and disposal of electronic devices (ITSAP.40.006)

Remediate the point of entry

Before reconnecting your systems and devices to your network or the Internet, identify how the threat actor entered your environment. Once the vectors have been identified, you should apply appropriate security measures to prevent a repeat attack.

Restore from your backup

Store your backups offline to mitigate the chance of ransomware infecting your backup files.

Analyze/scan your backup files and ensure they are free of ransomware or any other malware.

Once you are confident, restore your systems and devices from your secure backup.

Update and patch

Apply any available updates to your devices, hardware and software. Patch your operating system and ensure all antivirus, antimalware and firewall software is up to date.

Review the incident and provide ongoing training

Review the incident with your employees.

You should also provide ongoing training that addresses preventative actions against ransomware attacks, such as learning how to identify suspicious emails and attachments.

Use common threat examples and past occurrences to keep up to date and prepared for the future.

Top of page

Risks of paying the ransom

The decision to pay a cyber threat actor to release your files or devices should not be taken lightly. Before you consider paying ransom, we recommend you contact your local police department to report the cybercrime. Paying the ransom will not guarantee access to your encrypted data or systems. Even if you pay, threat actors may still:

demand more money
continue to infect your devices and systems or those of other organizations
retarget your organization with a new attack
copy, leak or sell your data

Learn more

Consult the following guidance to learn more:

Top of page

Cyber Centre releases Ransomware Threat Outlook 2025 to 2027

2026-01-28T16:06:55Z

Ransomware playbook (ITSM.00.099)

2026-01-28T16:05:00Z

Alternate format: Ransomware playbook (ITSM.00.099 - PDF, 1.29 MB)

Overview

Ransomware is a type of malware that denies a user’s access to a system or data until they pay a sum of money. It can have a devastating impact on organizations and individuals. Vital data and devices can be rendered inaccessible, leaving organizations unable to conduct business or serve clients.

We have seen an increased number of ransomware attacks affecting Canadian organizations and individuals. The Cyber Centre’s National Cyber Threat Assessment 2025-2026 (NCTA) specifically notes that ransomware is the top cybercrime threat facing Canada’s critical infrastructure. Ransomware directly disrupts critical infrastructure entities’ ability to deliver critical services, which can put the physical and emotional wellbeing of victims in jeopardy. In the next 2 years, threat actors carrying out ransomware attacks will remain a significant threat to Canada.

Threat actors have adjusted their tactics to include coercing victim organizations to pay a ransom by threatening to release stolen data or authentication credentials to publicly embarrass the organization. The NCTA notes that threat actors will very likely continue leveraging advancements in areas like artificial intelligence (AI) and cryptocurrency while developing new extortion tactics to increase their financial reward. Ransomware incidents have become more sophisticated, targeted and complex. It is increasingly difficult for organizations to defend against and recover from these attacks, especially if an organization has limited cyber security resources.

Threat actors have also become more covert in their operations. They start by gaining access to an organization’s communications systems to identify critical systems and high-value data that could cause reputational damage if leaked to the public. Threat actors then deploy the ransomware to the datasets and systems of highest importance or value, compromising the organization. In addition, threat actors actively monitor the organization’s communications and planned recovery actions to undermine response efforts and further infiltrate networks and connected devices.

The information provided in this publication is intended to inform organizations and help them reduce the risks of ransomware attacks, lessen the impact of these attacks, and take preventative actions. It can also help organizations to articulate business and security requirements and implement relevant policies and procedures related to cybercrime.

This publication introduces ransomware, threat actor motivations and gains, and measures to prevent these attacks and protect your organization. This publication is broken down into 3 sections:

Ransomware explained: In this section, we define ransomware and outline the common vectors used to infect networks and devices.
How to defend against cyber threats: In this section, we provide a list of preventative measures you can take to protect your organization and offer checklists for specific mitigation measures. When you apply these measures, you enhance your cyber hygiene and protection against cyber incidents and threat actors, including ransomware.
How to recover from ransomware incidents: This section includes guidance on immediate actions organizations can take when ransomware is discovered, recovery measures, and methods to evaluate the incident and enhance security measures. By following the recommendations in this section, organizations can better respond to an incident and decrease the risk of your organization being a repeat victim of ransomware.

If you believe you are a victim of ransomware:

Read the advice and guidance on how to recover in How to defend against cyber threats
Report the ransomware incident:
1. to your local police
2. to the Canadian Anti-Fraud Centre
3. to the Cyber Centre
Once your recovery efforts are in place, read How to recover from ransomware incidents for advice on how to improve your cyber security environment

Ransomware Threat Outlook 2025-2027

2026-01-28T16:00:00Z

Alternate format: Ransomware Threat Outlook 2025-2027 (PDF, 1.8 MB)

Cyber security considerations for drone use (ITSAP.00.143)

2026-01-27T19:41:05Z

January 2026

Awareness series

ITSAP.00.143

January 2026 | Awareness series

Drones are mobile vehicle systems that can function with varying degrees of autonomy from human operators. Depending on their design and function, they may also be called remotely operated systems, remotely piloted aircraft systems, or uncrewed ground/underwater vehicles.

Before deploying a drone, you should conduct a threat risk assessment (TRA). A TRA will help to identify potential security threats and determine the appropriate cyber security measures required to mitigate them. Understanding the risks associated with the use of drones for business or operational purposes will enhance your organization’s ability to protect your systems, data, and networks.

Types of drones

There are many styles of drones that have different forms and serve varying purposes. They can be generally categorized into 3 main types based on their design and intended use: commercial, own-made and professional.

Commercial drones

These drones are produced by commercial organizations and used to support business and individual activities. Commercial drones have a wide range of applications, depending on the field or line of business. Some examples include aerial photography, agricultural spraying and package delivery. Commercial drones generally use commodity parts with low-security supply chains.

Own-made drones

These drones are built and created by individuals or organizations, often for personal use. Own-made drones can also be organization-made and used to control features that would typically be managed by third parties. These drones generally use a mix of custom-made hardware, software and parts, which allows for more visibility into supply chains.

Professional drones

Professional drones are used in critical environments, such as military or search and rescue. These drones are used for tasks like perimeter surveillance, emergency response and industrial inspection. They typically feature components that have complete visibility and control of supply chain contents.

Professional drones can be used for many purposes, including:

recreation
surveillance
commerce
data collection
infrastructure monitoring and inspection
emergency response
public safety
security

How drones work

Drones can operate without a physical connection to a controller (for example, untethered and remote). They work semi-autonomously by using stability control, following a pre-programmed path or by human control. Some drones are capable of fully autonomous modes of operation, using onboard systems to navigate and perform tasks without real-time human input. An example of autonomous mode are drones that follow a pattern. Some drones connect to the Internet or require data to be transmitted through the Internet. Most rely on satellite systems to provide global positioning and timing services.

A drone’s functionality is supported by 2 main components: on-board and off-board systems.

On-board systems include:

central control computer
communication modules
movement and stability controls
positioning and navigation tools (like GPS and visual or acoustic sensors)
data collection tools (like camera and microphones)

Off-board systems include:

a control station (like a computer or mobile device)
a user interface for monitoring and issuing commands
data display and storage systems

Risks associated with drones

Drones are susceptible to a variety of cyber threats that can compromise their functionality and the data they collect. Most notably, drones can pose significant risk to your organization when connected directly or indirectly to your network. They are untrusted devices meaning their connection can be leveraged by threat actors as an attack vector or used to gain remote access to your environment.

Another common risk involves drones being misled through satellite navigation interference. For example, signals can be jammed or spoofed to create false signals and prevent communications from reaching the drone. This can cause the drone to go off course without realising that it has changed trajectory. Unintentional electromagnetic interference can also disrupt drone communication signals.

If your drone is compromised, threat actors may be able to:

take control of the drone from the current authorized operator
steal authentication and encryption mechanisms used by drones to gain access
acquire images, the location of the operator and other data captured by sensors
access sensitive information through drone images that contain metadata, revealing operational activities (for example, timestamps and location coordinates)
exploit vulnerabilities in other systems by injecting malware

Artificial intelligence risks

Drones with artificial intelligence (AI) functionality may be vulnerable to different attack methods. Manipulated inputs to the drone can cause AI models to misinterpret data, leading to incorrect decisions. Consider the following examples of AI-related attacks.

Data manipulation

Images can be manipulated to deceive AI navigation systems by altering sensor inputs or physical objects. This can cause navigation systems to misinterpret information and may lead to incorrect or unexpected operational outcomes.

Data poisoning

Threat actors can corrupt training data through data poisoning attacks. This can result in faulty AI decision-making.

Swarm attacks

Threat actors can conduct swarm attacks which enable multiple AI-functioning drones to operate autonomously and collaboratively to overwhelm defences.

Denial of service attacks

Threat actors can gain unauthorized access to perform arbitrary code execution (for example, using commands or code to disable the drone or its process) due to traditional software vulnerabilities.

Management platforms and software risks

Drone management platforms or the software used to operate and manage drones rely on:

remote connections
cloud platforms
flight telemetry sensors
cloud infrastructure

These platforms and software can present further threat surfaces to your drones and data. If compromised, your drones and data are at risk of having their images and coordinates stolen, losing control and losing sensitive information. Some of these platforms may use sensitive authentication credentials used to access higher security levels, which can be a greater risk to your data if compromised.

Considerations for vendor selection

When selecting a drone vendor or manufacturer you should ask cyber security related questions, such as:

Does the drone manufacturer engage in secure-by-design and secure-by-default practices?
- Products that incorporate secure-by-design and secure-by-default prioritize the security of customers as the core business requirement
How does the drone minimize the effects of satellite spoofing and jamming attacks?
Has a vulnerability analysis been performed on the drone, controller and any peripherals and has it been shared by an independent and verified third party?
Is a list of all components and dependencies used in the software application available from the manufacturer?
- This is required to reflect the scope of vulnerabilities or mitigations in the software used for the drone and related systems
Is supply chain information available for the drone and peripherals?
- Knowledge of the supply chains used in manufacturing the drone and related system offers information on potential vulnerabilities
What documentation exists to ensure that proper cryptographic methods have been validated, applied and subjected to thorough testing?
- For more details on appropriate cryptographic methods, consult our guidance on becoming cryptographically agile (ITSAP.40.018)

Regarding user functionality and what security measures you might have to keep up with, consider the following questions:

Do the drone, controller and peripherals require frequent updates?
- You should only update the firmware and software if necessary (for example, for security patches)
- Perform updates on separate, isolated systems to protect sensitive information and operations
Can the drone, controller or peripheral firmware updates be reversed or returned to the previous version?
- Before installing patches, review the related details for necessary security features, as updates can include undesirable features or introduce other vulnerabilities
Are proprietary software and drivers required to be installed on the systems to handle data with the drone?
- A device with access to your systems could expose those systems to threat actors
Can a static code analysis (for example, examining the source code to identify vulnerabilities) be performed on the firmware or other software used to control or interact with the drone?
- This offers stronger cyber security and can be easily scanned and analyzed for vulnerabilities by a variety of third parties
Is strong encryption used to store and communicate drone images?
- Encryption secures the data being stored on and transferred to and from the drone
Can the drone store images and data by using on-board memory (for example, an SD card)?
- Using a secure peripheral to store and import data to a scanned external device can be more secure than using proprietary software
Does the drone, controlling system and any peripherals connect to a cloud platform?
- Connecting to a cloud platform can introduce cloud-based vulnerabilities and threats

Considerations with own-made drones

When choosing to create or use an own-made drone, you should consider the following cyber security measures:

Ensure that the source code is open source and has been audited by a verified organization
Ensure that strong encryption practices are used to encode images stored and transmitted
Test the drone thoroughly and make improvements where necessary
Consider redundant and fail-safe systems (for example, ensure the system will function as needed if one or more parts fail)
Make sure emergency remote takeover systems for human supervision exist
Ensure the system architecture is well documented and includes all components
Monitor and log activities for continuous security enhancements (for example, incident response)

Securing your drone

There are many cyber security considerations when setting up and securing your drone. The following actions can strengthen the security of your drone and your data:

Use a dedicated or stand-alone controller for your drone rather than a mobile device used for other purposes
Establish an isolated environment or zone for drone use so you can control and monitor network access
Ensure the networks that the drones and related systems use are separate from networks used by other trusted systems to isolate the threat from other sensitive environments
Use strong encryption to secure the data transferred to and from the device
Set up a separate and secure isolated environment to transfer, install and scan recorded data and required applications (for example, updates and patches)
Use an SD card or external peripheral to transfer sensitive data rather than cloud connections
Disable default cloud connections
- If you need to use the cloud, use on-premises cloud platforms with strong encryption to protect data in transit and at rest
Mitigate jamming or spoofing attacks by integrating tools (for example, microelectromechanical systems or fibre-optic cables) that recognize other signals and can be used for alternate guidance methods

Consider the following security tools to stay vigilant and monitor your drone data and activity:

Take note of the information that could be accessed by the drone and shared with third parties when configuring your device
Be suspicious of what data is being shared with remote servers and use a virtual private network to transfer the data
Request a copy of the source code for the firmware and other drone software so your IT team can run a static code analysis
Request evidence of a comprehensive third-party vulnerability assessment
Monitor suspicious activity by implementing an intrusion detection and prevention system on the network used by drones to detect and block the traffic immediately
Use monitor logs to indicate vulnerabilities, further secure sensitive information and patch areas that need greater security
Implement a zero trust architecture if handling sensitive data and to mitigate AI related risks

Learn more

What to do when your organization has been compromised by a cyber attack (ITSAP.00.009)

2026-01-21T16:49:12Z

January 2026

Awareness series

ITSAP.00.009

January 2026 | Awareness series

Cyber attacks are common and can impact organizations of all sizes, within all sectors. This publication provides guidance on the actions you should take in the critical moments after a compromise is detected to lessen the impact on your organization.

What to do after discovering a compromise

The moments immediately after a compromise is detected are crucial to minimizing the impacts. Take the following steps immediately after detection.

Keep the system powered on

Your device holds volatile forensic evidence that can be used to help determine the source and scale of the suspected compromise. Although it may seem obvious to restart your device to see if the problem persists, it’s important to keep all potentially compromised devices turned on. You should take note of important information that may otherwise be lost.

To best preserve this evidence:

Lock the system
Do NOT shut down the system
Do NOT reboot the system
Do NOT log the current user out

Do not destroy any forensic evidence during the entirety of the investigation. Logging off, or even temporarily removing the device’s power source, will clear it of all volatile data.

Verify the incident

Contact your IT department to perform a thorough sweep on impacted devices. They can confirm if the issue is truly an incident and whether the host device is compromised. To assist IT in verifying the incident, ensure you have the following information:

When you first suspected a compromise
Which devices you think are compromised
Who had access to the compromised device(s) and information
Who currently has access to the device(s) and do they require access
When did you last perform system and software updates
What types of information do you suspect were stolen
How many people do you think were affected and do you have their contact information
Who is the designated point of contact for your organization
Does the designated point of contact have the authority to permit and conduct forensic imaging for the sake of investigation

Top of page

Recommended IT response to a compromise

Once your IT department has verified that an incident has occurred and there is a compromise, they should take the following steps to respond. These steps will help to minimize the impact of the compromise on your organization.

Contain the incident

Depending on the device or scale of the compromise, you may need to use a combination of these techniques for complete isolation:

Isolate all compromised devices and systems from the network by using tools that support a quarantine feature
Place the compromised devices in a separate virtual local area network
Deactivate the network interface card
Disallow Wi-Fi connection or remove the network cable
Review access and control privileges in your organization and limit access where possible
Revoke access to any third-party apps or services connected to the compromised accounts and review and manage app permissions

Inform necessary stakeholders

When an incident occurs, ensure you inform those in your organization that need to know. Consult with legal and financial counsel if necessary. Consider contacting relevant service providers, such as cloud service providers or managed service providers, who may offer additional assistance and security measures during your investigation.

The Privacy Act applies to the Government of Canada and private sector organizations are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). Private sector organizations are required to:

report to the Privacy Commissioner of Canada any data breach involving personal information that poses a risk of significant harm to individuals
notify individuals affected by the breach
retain records related to the breach

Collect evidence

Before starting an investigation, your organization should have a dedicated forensics workstation to minimize contamination with other devices. Also, your organization should ensure that the appropriate authority has approved of these investigative actions. We recommend taking note of all the actions taken, including the purpose of each task. Your IT department can also take the following actions to collect investigative evidence.

Acquire volatile evidence

Volatile evidence is data that is only present when the device is powered on and running, such as random access memory (RAM). It is vital that the compromised device stay powered on until all volatile forensic evidence is collected and preserved. The collected evidence should be stored on an external device for safekeeping.

Acquire non-volatile evidence

Non-volatile evidence is data that persists even when there is a loss of power, for example, disk images (a bit-by-bit copy of data on disk).

Check for BitLocker encryption

BitLocker is a full-volume encryption feature on Microsoft Windows products designed to protect data by providing encryption for entire volumes. If you are collecting BitLocker encrypted data, make sure to have the BitLocker recovery key on hand.

Top of page

Learn more

Top of page

Developing your IT recovery plan (ITSAP.40.004)

2026-01-16T19:03:08Z

January 2026

Awareness series

ITSAP.40.004

January 2026 | Awareness series

Unplanned outages, cyber attacks, and natural disasters can happen unexpectedly. Your organization may lose information or experience downtime that disrupts or stops critical business functions. Unplanned downtime is expensive and could have a lasting impact on your business. To ensure continued operations with minimal downtime, your organization should have an IT recovery plan as part of your overall business continuity approach. The IT recovery plan should identify critical data, applications, and processes, and define how your organization will recover IT services that support business operations, products, and services.

Incident response plan: Event-focused plan, specific to a security incident like a cyber attack affecting an organization
Business continuity plan: Specific plan to quickly resume only the most critical operations, as defined by a business impact analysis, in the event of a disaster
Disaster recovery plan: Holistic plan to return your organization to full operations after a disaster

Know your business disruption tolerance

To develop an effective recovery plan, you should tailor it to address the impact an incident would have on your organization. Your plan should also specify the level of disruption your organization is willing to accept if an incident occurs. There are 3 key measures to consider in your plan:

Maximum tolerable downtime: The total length of time that a process can be unavailable without causing significant harm to your business
Recovery point objective: The measurement of data loss that is tolerable to your organization
Recovery time objective: The planned time and level of service needed to meet the system owner’s minimum expectations

Identify your critical business functions, applications, and data

Your plan should identify your organization’s critical data, applications, and functions. Critical data may include financial records, proprietary assets, and personal data.

Critical applications are the systems that run your key business functions and are imperative to your business. These are the systems that must be restored immediately for business continuity in the event of an unplanned outage.

To identify critical business functions, applications, and data, you should conduct a risk assessment to identify threats and vulnerabilities. Run through specific scenarios (such as a cyber attack, significant power outage, or natural disaster) to identify key participants and stakeholders. Reviewing these scenarios will also help you address significant risks, develop mitigation strategies, and identify the recovery time and effort.

Conduct a business impact analysis (BIA) to predict how disruptions or incidents will harm your operations, business processes and systems, and finances. During your BIA, you should also assess the data that you collect and the applications that you use to determine their criticality and choose priorities for immediate recovery.

Create your IT recovery plan

Complete to the following steps when creating your organization’s IT recovery plan.

Identify stakeholders, including clients, vendors, business owners, systems owners, and managers
Identify your response team members, as well as their roles and responsibilities
Take inventory of all your hardware and software assets
Identify and prioritize critical business functions, applications, and data
Set clear recovery objectives
Define back-up and recovery strategies
Test your plan regularly
Develop a communications plan to inform key stakeholders
Develop a training program for employees to ensure that everyone is aware of their roles, responsibilities, and the order of operations during an unplanned outage
Engage with managed service providers if required to identify areas in which they can assist you with your recovery efforts

Choose your recovery strategy

There are several options to consider when implementing your recovery strategy, but you should choose a recovery strategy that meets your business needs and security requirements.

Hot, warm, or cold site

Hot site
- back-up site with the same servers and equipment as your primary site
- functions the same as your primary site and is always kept running in case of downtime
- data synchronization occurs within minutes to hours, reducing the risk of data loss
Warm site
- back-up site with network connectivity and some equipment installed
- requires setup to function at the full capacity of your primary site
- data synchronization occurs less frequently, which can result in some data loss
Cold site
- back-up site with little to no equipment
- requires more time and resources to set up and restore business operations
- data synchronization can be a difficult and lengthy process as servers need to be migrated from your primary site, resulting in a higher risk of data loss

Storage replication

Storage replication copies your data in real time from one location to another over a Storage Area Network, Local Area Network or a Wide Area Network. Since it is done in real time, it is referred to as synchronous replication. You can also use asynchronous replication, which creates copies of data according to a defined schedule.

Disk mirroring

Disk mirroring replicates data on 2 or more disk hard drives. Disk mirroring automatically switches your critical data to a standby server or network when your main system experiences unplanned downtime. If you are unable to restore your systems, you can use the mirror copy. It is important that the mirrored copy is backed up to a separate server or location that is unaffected by the outage.

Cloud vs. on-premises recovery

With a cloud-based recovery platform, you can connect easily from anywhere with a variety of devices. You can back up your data frequently, and it can be less expensive than purchasing and maintaining an on-premises platform because you pay for the space you need as you need it. Using the cloud can also reduce or eliminate the need for a separate offsite recovery site.

Test your IT recovery plan

Testing is critical. You can identify inconsistencies and address areas that need revision. Be sure to use a test environment to avoid business interruptions. Some example test strategies include:

Checklist: Read through and explain the steps of the recovery plan
Walkthrough: Walk through the steps without enacting them
Simulation: Use a simulated incident or disaster to familiarize the recovery team with their roles and responsibilities
Parallel test: Set up and test recovery systems to see if they can perform operations to support key processes. You keep your main systems in full production mode
Cutover test: Your recovery systems are set up to assume all your business operations, and you disconnect primary systems. This type of test causes business interruptions and requires additional planning

Learn more

Improving cyber security resilience through emergency preparedness planning (ITSM.10.014)

2026-01-16T19:03:08Z

January 2026

Management series

ITSM.10.014

January 2026 | Management series

Alternate format: Improving cyber security resilience through emergency preparedness planning – ITSM.10.014 (PDF, 695 KB)

Foreword

This is an unclassfied publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:

email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88

Effective date

This publication takes effect on January 2026.

Revision history

First release: January 2026

Overview

Cyber emergency preparedness is the practice of ensuring that your organization has a strategy to prevent, respond to, and recover from cyber incidents. Implementing a cyber emergency preparedness strategy requires a collaborative effort from stakeholders across your organization. Your strategy should highlight key aspects of your emergency procedures, such as the steps your organization will take to respond to an incident, who will be contacted in case of an incident, and what resources will be required to carry out your overall plan. A cyber emergency preparedness strategy will help your organization to manage risks and improve resilience in the face of catastrophic events.

This publication describes emergency preparedness, related to cyber security, as a strategy that encompasses an incident response plan (IRP), a business continuity plan (BCP), and a disaster recovery plan (DRP). The difference between these 3 plans is detailed in this publication, along with the justification for why your organization should develop and implement all 3 plans to improve your cyber resilience and ability to maintain business operations amid an incident or a major disruption.

Your emergency preparedness plan should align with a relevant security risk management framework, such as:

the Cyber Centre IT Security Risk Management: A Lifecycle Approach (ITSG-33)
the National Institute of Standards and Technology (NIST) Cyber Security Framework
the International Organization for Standardization (ISO) ISO/IEC 27002:20122 Information security, cybersecurity and privacy protection — Information security controls

Integrating your emergency preparedness plan into your organization's security framework will help improve your cyber security resiliency and provide the security assurances of confidentiality, integrity, and availability for your business assets.

We recommend that you report cyber incidents to the Cyber Centre using our online reporting tool. We can provide your organization with cyber security advice, guidance, and services to help mitigate the impact of cyber incidents and better protect your organization from future incidents. We also encourage you to report cybercrime activities to law enforcement and fraud to the Canadian Anti-Fraud Centre.

Developing your incident response plan (ITSAP.40.003)

2026-01-16T19:02:25Z

January 2026

Awareness series

ITSAP.40.003

January 2026 | Awareness series

Your incident response plan (IRP) includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. Cyber threats, natural disasters, and unplanned outages are examples of incidents that can impact your network, systems, and devices. With a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. While this publication is written in the context of cyber incidents, its guidance can assist your organization in developing an incident response plan for various types of incidents.

Before creating an incident response plan

Before you create an IRP, identify the information and systems of value to your organization. Determine the types of incidents you might face, such as ransomware or distributed denial of service attacks, and the appropriate responses. Consider who is best qualified to be a member of your response team. You should also determine how you will inform your organization of the plan and the associated policies and procedures.

Conduct a threat and risk assessment

A threat and risk assessment (TRA) is a process that helps you identify your critical assets and how these assets can be compromised. Your TRA will assess the level of risk these threats pose to your assets so that you can develop and prioritize your response efforts. Some questions to answer during the TRA include:

what data is valuable to your organization?
which business areas handle sensitive data?
what controls do you currently have in place?
can this lead to a privacy breach for your organization?

For more information on TRAs, read Harmonized TRA Methodology (TRA-1).

Create your response team

The purpose of your team is to assess, document, and respond quickly to incidents. The goal is to restore your systems, recover information, and reduce the risk of the incident reoccurring.

Your team should include employees with various qualifications and have cross-functional support from other business lines.

Roles to consider for your incident response team include:

critical path personnel
security practitioners
IT or cyber security specialists
project engineers for operational technology (OT) environments
legal
management

Cyber incidents in particular are unpredictable and require immediate response. Ensure your response team has alternate means of contact, such as mobile phones or out of band email. Each member of your team should also have a backup contact in case they cannot be reached or are unavailable.

Develop your policies and procedures

Your incident response activities need to align with your organization's policy and compliance requirements.

Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization's senior management.

Educate your employees

Provide training to employees that explains your incident response plan, policies, and procedures. Tailor your training programs to your organization's business needs and requirements, and to your employees' roles and responsibilities.

Update your employees on current incident response planning and execution. A well-trained and informed workforce can defend against incidents.

Create your communications plan

Your communications plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents.

Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or consider engaging a lawyer for advice. You may also need to contact your media team.

Types of incidents

Your organization can face many different incidents. Some examples include:

Ransomware

Ransomware is a type of malware that locks you out of files or systems until you pay a ransom to a threat actor. Payment does not guarantee that you will regain access to your information.

Data theft

Data theft occurs when threat actors steal information stored on servers and devices. The data is most commonly accessed using stolen user credentials. Advanced persistent threats (APTs) refer to threat actors that are highly sophisticated and skilled. APTs are able to use advanced techniques to conduct complex and protracted campaigns in pursuit of their goals. The APT designator is usually reserved for nation states or very proficient organized crime groups.

Active exploitation

Active exploitation takes advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices. These attacks can go unnoticed before you have the opportunity to apply a patch or update. Your plan should provide instructions for mitigating active exploitation, such as temporarily suspending Internet access or ceasing online activity.

Top of page

Main steps in your incident response plan

Your IRP should identify the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise your incident response plan annually to keep it effective.

Follow the incident response lifecycle steps below to structure your IRP.

Preparation

Start with a statement of your management's commitment to the project. Perform a risk assessment to identify your organization's most valuable assets that are critical to your business operations
Define the security incidents your organization is most likely to face and create detailed response steps for these incidents
Lay out the objectives of your incident response strategy, as well as your related policies, standards, and procedures. Your policy should include performance measures, the incident data that you collect over time (for example, the number of incidents and time spent per incident)
Define your goals to improve security, visibility, and recovery
Develop and implement a reliable backup process to create copies of your data and systems to help you restore them during an outage
Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents
Create your response team and assign roles and responsibilities to each member
Define your communications plan and identify how key stakeholders and management will be informed throughout the incident. You should have multiple communication mechanisms in place, this may be valuable during an incident
Develop exercises to test your plan and response. You can revise and improve your plan using your test results

Detection and analysis

Monitor your networks, systems, and connected devices to identify potential threats. Produce reports regularly and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your IRP. Determine the frequency and intensity of your monitoring.

Although it is impossible to have a step-by-step guide for every incident, you should be prepared to handle incidents that use common attack vectors.

In the event of a breach or compromise, analyze the incident, including its type, its origin, and the extent of the damage caused. All facts about the incident should be documented. When an incident is detected, analyzed, and prioritized, your incident response team should notify the appropriate stakeholders so that everyone that needs to be involved is informed.

Containment

Containment is crucial for your organization's recovery. The primary goal is to minimize business impact.

Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures.

An effective mitigation measure for an IT environment may include deactivating connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions.

Containment strategies and procedures will depend on the type of incident, the degree of damage the incident can cause, and your operational requirements. Refer to your organization's incident containment strategies, established in the preparation phase.

When dealing with an incident, the risk assessment completed in the preparation phase should help you define your acceptable risk so that you can develop your containment strategies accordingly.

Eradication

Conduct a root cause analysis to identify and remove all elements of the incident from the affected systems and complete the following actions:

Identify all affected systems, hosts, and services
Remove all malicious content from affected systems
Scan and wipe your systems and devices
Identify and address all residual attack vectors
Communicate with stakeholders to ensure appropriate management of the incident
Harden, patch, and upgrade all affected systems
Upgrade or replace legacy systems

Recovery

Restore and reintegrate the affected systems back into your operating environment.

Ensure any malware is removed before restoring your backups
Test, verify, monitor, and validate affected systems to ensure they are running effectively
Revise and update policies, procedures, and training initiatives

Post-incident activities and lessons learned

Review the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and what areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents. The results of the lessons learned should be used to improve detection methods and prevent repeated incidents.

In-house or professional services

When developing your IRP, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be retained to assist with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring and patching your systems. Outsourcing incident response for OT incidents or other specialized environments can be costly, and it is important to plan for these scenarios.

Learn more

Top of page

Developing your business continuity plan (ITSAP.10.005)

2026-01-16T19:02:04Z

January 2026

Awareness series

ITSAP.10.005

November 2025 | Awareness series

In the event of a cyber incident or natural disaster, your organization will need a business continuity plan (BCP) to resume its most critical business operations quickly. Your BCP will identify the risks from various threats and the impact they would have on your organization. BCPs outline the main assets, roles, responsibilities, and processes required to minimize disruptions and keep critical business functions running until your operations can be fully restored. Organizational resilience and compliance with regulations, policies, and standards are some of the reasons you should have a BCP.

Business continuity lifecycle

Your BCP needs to be tested, reviewed, and updated regularly. To ensure your BCP is relevant, useful, and reliable, you should follow the 5 steps of the business continuity planning lifecycle.

Initiate

Identify your organization’s unique goals and objectives, as well as the key people and processes required to meet these goals. Create a response team and assign a team leader. Be sure to include members from various operational areas of your organization. Each member should know the threats that could affect your organization and the level of impact of the associated risks. Ensure you communicate the intent of your BCP and the expected outcomes to senior management for approval.

Analyze

Conduct a threat and risk assessment (TRA) to identify the possible threats and risks that could disrupt your organization’s operations. Once the TRA is finalized, complete your business impact analysis (BIA). Your BIA will identify critical and non-critical business operations. Additionally, your BIA will list the consequences of disruption from the risks identified in your TRA. Examine critical operations to determine their recovery time objective (RTO) and recovery point objective. Your RTO is the planned time and level of service needed to meet the system owner’s minimum expectations.

For more information on TRA and BIA, read:

Develop and implement

Create strategies that will allow your most critical business operations to resume for each of your identified risks. These strategies should mitigate or minimize the impact on your organization’s stakeholders, operations, and assets. As you develop your BCP, consider the following best practices:

identify the response team, their roles, and their responsibilities
develop communication methods and recovery procedures
identify an alternate work site and an employee relocation plan
consolidate a list of alternate resources and suppliers
establish an IT recovery plan
establish policies to be implemented during a disaster, emergency, or incident
determine the resources required to roll out the activities in your plan
identify timeframes in which services and business operations need to be available
identify the resources required to ensure prioritization and a quick, relevant response
create reports to share with stakeholders
provide your employees with awareness and training on the identified risks, emergency preparedness, and response strategies
document your plan, validate it, and share it with your organization’s management teams
store your BCP in a secure location that is known to your response team and available in a disaster or incident

Communicate and integrate

Communicate your BCP to employees and stakeholders. Ensure you integrate your plan into your organization’s policies. To avoid misinformation during an incident, develop a communication and public relations plan. Include guidance on how to communicate to all internal and external parties, including the media.

Test and validate

Risks, priorities, and business operations will change over time. Your BCP will require improvement through ongoing analysis, testing, validation, and implementation. Learning opportunities like seminars, tabletop exercises, and live simulations will assess your response team’s preparedness and identify any weak points in your plan. Testing your BCP will evaluate and validate your identified procedures, training initiatives, technical solutions, and recovery procedures. Use test results to update the BCP and ensure it remains aligned to your organization’s operational requirements and threat landscape.

Top of page

Common disruptors to business operations

Natural disasters, global events, equipment failures, and compromises to your supply chain can all impact your business operations. In addition to these events, your organization needs to be prepared to mitigate the effects of various cyber threats, such as:

malware and ransomware incidents
data theft
distributed denial of service attacks
account compromises

Additional emergency preparedness strategies

Your BCP will address how to recover and resume only your most critical business operations during an incident. Your organization needs other plans to ensure it can detect, respond to, and fully recover all operations after any incident.

Your incident response plan (IRP) details the steps your organization will take to handle a specific security incident, mitigate the related risks, and recover quickly. Having an IRP will help your response team reduce organizational downtime and business disruption during an incident.

Your disaster recovery plan, which can include your IT recovery plan, will help your organization return to full operations after an incident.

For more information on developing these plans, read the Cyber Centre’s publications:

In addition to these plans, your organization can further reduce vulnerabilities and increase incident preparedness by taking the following preventative measures:

back up your systems and data online and leverage mechanisms to verify that these backups are trustworthy
provide employees with cyber security training tailored to their roles and your organization
monitor your network and review your audit logs to identify anomalies or potential compromises
enforce phishing-resistant multi-factor authentication wherever possible
limit the number of administrator accounts
ensure administrator tasks are completed on a dedicated administrative workstation

Learn more

Top of page

Joint guidance on secure connectivity principles for operational technology

2026-01-14T18:00:58Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the following international partners in releasing guidance on secure connectivity principles for operational technology (OT):

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Germany’s Federal Office for Information Security (BSI)
Netherlands’ National Cyber Security Centre (NCSC-NL)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
United States’ Cybersecurity and Infrastructure Security Agency (CISA)
United States’ Federal Bureau of Investigation (FBI)

Organizations deploying or operating OT systems often face challenges in prioritizing cyber security due to operational constraints. An example of such a constraint is the dependence on legacy technologies that were never designed for modern connectivity or security requirements. Opportunistic and highly capable threat actors are known to target exposed and insecure OT connectivity.

This joint guidance outlines the desirable end-states that organizations should achieve when designing connectivity into OT environments. The end-states are intended as goals rather than minimum requirements.

System owners should use these principles as a framework to design, implement and manage secure OT connectivity, for both new and existing OT systems. These principles are particularly critical for operators of essential services.

Read the full joint publication: Secure connectivity principles for operational technology (OT).

Related guidance

Generative artificial intelligence - ITSAP.00.041

2025-12-10T18:20:09Z

December 2025

Awareness series

ITSAP.00.041

December 2025 | Awareness series

Many organizations use artificial intelligence (AI) for process optimization, data analysis, diagnostics and customization of their user experience. Generative AI is a type of AI that generates new content by modelling features from large datasets that were fed into the model. While traditional AI systems can recognize patterns or classify existing content, generative AI can create unique content in many forms, including text, image, audio or software code.

A subset of generative AI that has seen significant improvement in recent years is large language models (LLMs). To create content, LLMs are provided a set of parameters (for example, a query or prompt). Since late 2022, several LLMs (for example, Microsoft’s Copilot, OpenAI’s ChatGPT and Google’s LaMDA) and services using LLMs (for example, Google’s Bard and Microsoft’s Bing) have gained the world’s attention. This publication provides some information on the potential risks and mitigation measures associated with generative AI.

How generative is AI being used

Generative AI is both a transformative and disruptive technology that may significantly alter how consumers, industries or businesses operate. It has the potential to enable creativity and innovation that could improve services and business operations. Some common examples of generative AI being used to enhance products and contextualize content include:

Image and video

Generative AI can be used to analyze, alter and create visual content for personal or business use. AI can use visual searches and contextualize content to offer alternate descriptions and examples.

Robotics

AI technology that uses motion planning and detection to perform different tasks, for example, self-driving vehicles and drones. Generative AI can be used to automate processes and enhance features.

Language

AI can understand voice and text to analyze, respond and carry out tasks. Call centres and website chatbots use generative AI to analyze initial requests and offer information to try and solve common questions without needing human interaction.

Entertainment

AI scans engagement to analyze connections between different software and applications and recommend content to users.

Generative AI is used in many industries and businesses to help enhance processes. The following sectors have found useful applications for generative AI:

Healthcare

Assists healthcare providers in making faster diagnoses and offers the ability to create personalized treatment plans. It can also be used in medical-assisting robots to help in surgery, diagnostic testing and analysis areas.

Software development

Enables software developers to generate code, assists in debugging or offers code snippets. This can help speed up the development and release of software products. Generative AI is also implemented in software to enhance different features and offer context or analyses for users, for example, in Microsoft Word.

Online marketplace

Generates human-like responses with chatbots and conversational agents, which can help organizations improve customer service and reduce support costs.

Business

Creates personalized customer communications for existing and prospective clients and generates predictive sales modelling to forecast their behaviour. It can also quickly produce unique and cost-effective outputs to use in marketing campaigns, advertising and video productions.

Agriculture

Automates farming tasks like planting, harvesting and monitoring in self-working machinery. It also offers tailored advisories and predictions to enhance sustainability and efficiency in product results and to reduce costs and labour.

Education

Allows educators to create personalized learning plans for students tailored to their individual performance, needs, and interests, which could help teachers better support their students.

Cyber security

AI facilitates enhancement of cyber defence tools against ransomware and other attacks. It assists cyber security practitioners to more easily scan large datasets to identify potential threats and minimize false positives by filtering out non-malicious activities.

Top of page

The risks involved with generative AI

While the capabilities of generative AI technology present great opportunities, they also bring many risks. Generative AI can enable threat actors to develop malicious exploits and potentially conduct more effective cyber attacks, especially as advances in AI allow for higher quality and quantity of content. A significant concern is that it can provide threat actors with a greater capacity to influence. Here are some of the potential risks to be aware of:

Misinformation and disinformation

Content not clearly identified as being AI-generated can result in the spread of misinformation, disinformation and confusion. Threat actors use AI in scams and fraudulent campaigns against individuals and organizations.

Phishing

Threat actors can craft targeted spear-phishing attacks more frequently, automatically, and with a higher level of sophistication. Highly realistic phishing emails or scam messages could lead to identity theft, financial fraud or other forms of cybercrime.

Privacy of data

Users may unknowingly provide sensitive corporate data or personally identifiable information (PII) in their AI queries and prompts. Threat actors could harvest this sensitive information to impersonate individuals or spread false information.

Malicious code

Technically skilled threat actors can overcome restrictions within generative AI tools to create malware for use in a targeted cyber attack. Those with little or no coding experience can use generative AI to easily write functional malware that could disrupt a business or organization.

Buggy code

Software developers may inadvertently introduce insecure and buggy code into the development pipeline. This could happen if they omit or improperly implement error handling and security checks.

Poisoned datasets

Threat actors can inject malicious code into the dataset used to train the generative AI system. This could undermine the accuracy and quality of the generated data. It could also increase the potential for large-scale supply-chain attacks.

Biased content

Most of the training datasets fed into LLMs come from the open Internet. As such, generated content has a fundamental bias in that only limited amounts of the world’s total data are online and available for AI to use. Also, generated content may be prejudiced if the training dataset lacks balanced representation of data points.

Loss of intellectual property

Generative AI tools may enable sophisticated threat actors to steal corporate data more easily, quickly and in larger quantities. Loss of intellectual property (for example, proprietary business information and copyrighted data) can devastate your organization's reputation, revenue, and future growth.

Be aware of information received from AI

It is important to be cautious when using generative AI and understand it is a technology that uses machine learning to construct responses based on a prompt or query. Always keep in mind that its outputs:

can be incorrect
might not make sense
might not take certain factors into account
can be biased

It is also important to be careful and analyze AI content before acting or using it. You should always be aware of and validate your sources to verify whether the content being presented is accurate.

Top of page

How to mitigate the risks

Generative AI is a powerful tool that threat actors can leverage to launch cyber attacks. As this technology becomes more widespread, cyber attacks will likely grow in frequency and sophistication. Although detecting AI-enabled threats can be challenging, organizations and individuals can prepare for the increased challenges that these attacks may bring.

Organizations and individuals should practice basic cyber security hygiene as a starting point in understanding risks and taking the appropriate measures to mitigate them.

Organizations should consider the following cyber security measures to minimize their risks of being compromised by cyber attacks:

Enforce strong authentication mechanisms

Secure accounts and devices on your networks with multi-factor authentication (MFA) to prevent unauthorized access to your high-value resources and sensitive data.

Apply security patches and updates

Enable automatic updates of IT equipment and patch known exploited vulnerabilities as soon as possible. This will help to prevent AI-generated malware from infecting the network.

Stay informed

Keep up to date on the latest threats and vulnerabilities associated with generative AI and take proactive steps to address them.

Protect your network

Use network detection tools to monitor and scan the network for abnormal activities. This allows you to quickly identify incidents and threats and deploy appropriate mitigation measures. Additionally, explore how AI might be deployed defensively in network protection tools and consider any ramifications.

Train your employees

Educate all users on how to identify the warning signs of social engineering attacks and who to contact to manage these situations securely. This should include an easy way for users to report phishing attacks or suspicious communications.

Individuals should consider the following measures to protect their personal data from AI-related cyber attacks:

Be cautious when sharing data

Do not share private information with AI tools unless you understand what they are doing with your data. Sharing data trains AI models to then be potentially exploited or sold.

Verify content

As more data becomes available, it may be difficult to know who is responsible for the content or how much of it is logical or factual. It's important to read and look for signs that the content was produced by a generative AI tool. Review the generated content and take the time to fact check it against credible sources.

Practice basic cyber security hygiene

Stay informed, use strong passwords and enable MFA to protect online accounts. Make sure to keep software up to date, use antivirus software and avoid public Wi-Fi networks.

Limit exposure to social engineering or business email compromise

Implement basic online safety practices such as:

reducing the amount of personal information you post online
avoiding opening email attachments and clicking on links from unknown sources
communicating via an alternate, verified channel
being suspicious of callers or senders that ask for sensitive information

Top of page

Security measures to consider using

If you plan to use or are already using generative AI, the following security measures can help you generate quality and trustworthy content while mitigating privacy concerns:

Implement a cyber security risk plan

Your organization should establish a plan that identifies policies on how AI should be used and the content that is allowed to be generated. Enforce security-by-design throughout the AI system lifecycle to monitor components and third-party software. Your policies should include the oversight and review processes required to ensure the technology is used appropriately. Consider if AI is a necessary tool for the task (for example, weigh the risks and costs) and whether developing an in-house AI tool would be of higher value than using third-party products.

Select your vendor carefully

When using pre-trained AI, ask your provider if the datasets were acquired externally or developed internally and how they were validated. Use diverse and representative data to avoid inaccurate and biased content. Establish a process for outputs to be reviewed by a diverse team from across your organization to look for inherent biases within the system. Ensure your vendor has robust security practices implemented in their data collection, storage and transfer processes. Continuously fine-tune or retrain the AI system with appropriate external feedback to improve the quality of outputs.

Be careful what information you provide

Avoid providing PII or sensitive corporate data as part of the queries or prompts. Determine whether the tool allows your users to delete their search prompt history.

Learn more

Top of page

Artificial Intelligence - ITSAP.00.040

2025-12-10T18:19:19Z

December 2025

Awareness series

ITSAP.00.040

December 2025 | Awareness series

Artificial intelligence (AI) uses intelligent computer programs to find patterns in data to make predictions or classifications. AI can be used to perform specific tasks by analyzing data online to replicate human thought processes and decision-making abilities. Machine learning, a subset of AI, uses algorithms and data to understand languages, text and multimedia to help the computer system learn and improve based on its own experience. Deep learning is a subset of machine learning that uses vast volumes of data and a layered structure of algorithms to train a model to make intelligent decisions independently.

What AI can do

AI already plays a big role in our everyday lives by providing recommendations, information, answers to questions and help with organizing our schedules. Applications like search engines, online shopping and voice assistants on mobile devices or smart speakers create data and feedback for machine learning tools to learn and improve from.

While AI is commonly used as a digital assistant, it can also be used to enhance your organization’s operations. AI can create code, develop procedural steps, optimize workflows and provide metadata and advanced analysis as a cyber security tool. Its availability and capabilities continue to grow and are becoming an increasingly vital component of cyber security.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have evaluated some security related AI use cases and determined they hold no safety-impacting concerns. Some of these use cases include:

automated detection of personally identifiable information in cyber security data
confidence scoring for cyber security threat indicators
malware reverse engineering
detection of anomalies in critical infrastructure networks
detection of anomalies in security operations centre networks
drafting tailored summaries of medical documents for different publication channels
chat tools for interacting with, summarizing and searching agency materials and internal content

CISA is continuing to explore new ways to integrate AI tools to improve efficiency and strengthen cyber security. For more details, read CISA Artificial Intelligence Use Cases.

Top of page

What AI can’t do

AI still faces certain fundamental limitations. For example, it can be quite difficult for AI to use intuition or common sense, adapt to different situations and understand cause and effect. Humans, with their judgement and insight, can handle situations that require more intuitive problem-solving and decision-making skills.

How organizations use AI

Organizations use AI in a variety of ways to enhance their processes and reduce costs. Some common ways AI is used include:

Facial recognition

A leading application of AI that looks at facial features in an image or video to identify or verify the individual.

Process optimization

A properly trained machine learning tool, for example, learning from accurate data, can use the data to give more accurate solutions and perform mundane tasks faster than a human can.

Digital assistants

Chat or voice bots can improve customer service and reduce support costs. Customers can receive help within seconds at any time. These services are often highly personalized and can be based on a user’s preferences and history with the organization.

Fraud detection

Sophisticated machine learning tools can detect fraudulent emails faster than a human can. These tools sort through your inbox and move spam and phishing emails to your junk folder.

Document generation

Software applications use AI-powered tools to create well-structured documents. The application uses user prompts to generate formatted documentation.

Coding

AI uses natural language prompts to automatically generate code, functions and development tasks to increase productivity and streamline data. AI can analyze and offer improvements on existing code to debug and enhance performance.

Data analysis

Using machine learning algorithms, AI can analyze large amounts of data and discover new patterns. This is known as automation and greatly reduces the processing time spent by a data analyst and improves business performance.

Several industries use AI-powered tools to enhance their processes and offer further insight with continuously advancing areas of technology. Some of these industries include:

Healthcare

In the medical industry, AI can help in patient diagnosis and treatment in many ways, for example, through computer-aided diagnostic systems. Machine learning in precision medicine is another highly useful tool and can help predict which treatments are most likely to be successful.

Advertising

AI helps advertising agencies create, optimize and personalize ad campaigns by analyzing user data and delivering content that would appeal to specific audiences. AI reduces the time and cost associated with production through its ability to generate text, images and video content.

Cyber security

AI is useful in detecting new threats to organizations through automation. By using sophisticated algorithms, AI can:

automate detection of threats such as malware
run pattern recognition to find relationships between different attack vectors
provide superior predictive intelligence

Top of page

The threats involved with AI tools

AI tools are often only as good as the data model they rely upon. The main threats to AI come from compromises to its data. Common methods of compromise include:

Data poisoning attack

This type of attack occurs during a machine learning tool’s training phase. AI tools rely heavily on accurate data for training. When poisoned (inaccurate) data is injected into the training dataset, the learning system may be taught to make mistakes.

Adversarial example

This type of attack occurs after the machine learning tool is trained. The tool is fooled into classifying inputs incorrectly. For example, in the case of autonomous vehicles, an adversarial example could be a slight modification of traffic signs in the physical world (like subtle fading or stickers applied to a stop sign). The modification causes the vehicle’s AI system to misclassify a stop sign as a speed-limit sign. This could seriously impact the safe operation of self-driving vehicles.

Model inversion and membership inference attacks

These scenarios occur when a threat actor queries your organization’s data model. A model inversion attack will reveal the underlying dataset, allowing the threat actor to reproduce the training data. A membership inference attack confirms if a specific data file is part of the training data. Both model inversion and membership inference attacks could compromise the confidentiality and privacy of your training data and expose sensitive information.

How threat actors use AI

Alongside organizations using AI-powered technologies to enhance their business processes, threat actors also use AI to enhance their cyber attack methods. Some AI-related attacks can include:

using deepfakes to impersonate authority figures
impersonating legitimate websites
altering source code for malware to lower detection rates
processing public imagery and videos to geolocate facilities and identify industrial control systems to analyze and target equipment and connected systems

What else you should know about AI

AI is continuously evolving with new tools and enhanced features. Some other information you should know about AI include:

AI can detect patterns in data
AI needs enough data to see the patterns at a high enough frequency or resolution
AI will have a narrow scope if the data is not diverse
AI will provide unreliable results if the training data used is not accurate
data used for training should be complete, diverse and accurate
missing data may result in some patterns not being discovered, and the patterns that are found might not be accurate
data that is recorded and collected for quality-control purposes can contain both sensitive and personal information

Many organizations are now using trustworthy AI policies to ensure that their use of AI tools minimize potential biases and unintended consequences, especially regarding the treatment of individuals. Policies may also assist in the development of appropriate protocols for the handling of sensitive and personal information. An example of an AI policy is the Government of Canada’s recently adopted Directive on Automated Decision-Making. If your organization intends to deploy AI, it should consider seeking legal advice to manage the many ethical, privacy, policy, and legal considerations that come from using AI.

Learn more

Top of page

Joint cyber security advisory on pro-Russia hacktivists conducting opportunistic attacks on global critical infrastructure

2025-12-09T21:23:40Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States' Federal Bureau of Investigation (FBI) and other domestic and international partners in issuing a joint advisory on pro-Russia hacktivist attacks.

This joint advisory highlights the unsophisticated and opportunistic tactics, techniques and procedures (TTPs) used by pro-Russia hacktivist groups to target critical infrastructure (CI) globally. These attacks target minimally secured, Internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) operational technology (OT) control devices within CI systems.

OT owners and operators and CI entities should implement the following recommendations to reduce the risk of pro-Russia hacktivists targeting control networks through VNC connections:

Reduce exposure of OT assets to the public-facing Internet
Implement network segmentation between IT and OT networks
Adopt mature asset management processes, including mapping data flows and access points
Ensure that OT assets are using robust authentication procedures
Enable control system security features that can separate and audit view and control functions
Collect and monitor OT asset and networking device traffic
Review configurations for setpoint ranges or tag values to stay within safe ranges and set up alerts for deviations
Implement and practice business recovery and disaster recovery plans

This joint advisory updates CISA's joint fact sheet Primary mitigations to reduce cyber threats to operational technology.

Read the full joint advisory: Pro-Russia hacktivists conduct opportunistic attacks against US and global critical infrastructure.

Ransomware

2025-12-09T15:47:29Z

Ransomware is the most common cyber threat Canadians face and it is on the rise.

During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.

Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.

Basic cyber security practices would prevent the vast majority of ransomware incidents in Canada.

This page offers resources from the Cyber Centre to help Canadians and Canadian organizations understand the ransomware threat and take action to protect themselves.

Reports

Joint malware analysis report on Brickstorm backdoor

2025-12-04T20:19:45Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) in releasing a Brickstorm malware analysis report.

This joint report warns that People’s Republic of China (PRC) state-sponsored threat actors are using Brickstorm malware for long-term persistence on victims’ systems. This activity has been primarily observed on government services and facilities and information technology sector organizations. The report also provides indicators of compromise (IoCs) and detection signatures based off analysis of Brickstorm samples.

Brickstorm malware is a sophisticated backdoor for Linux, specifically VMware vCenter servers, VMKernel (VMware ESXI), and Windows environments. PRC state-sponsored threat actors have been observed targeting VMware vSphere platforms. Once compromised, the actors can use their access to vCenter to steal cloned virtual machine (VM) snapshots for credential extraction and create rogue VMs hidden from the vCenter management console.

We urge organizations to use the IoCs and detection signatures in this malware analysis report to identify Brickstorm malware samples.

Read the full joint publication: Malware analysis report – Brickstorm Backdoor

Public content provenance for organizations (ITSP.10.005)

2025-12-04T15:09:56Z

December 2025

Practitioner series

ITSP.10.005

December 2025 | Practitioner series

Alternate format: Public content provenance for organizations - ITSP.10.005 (PDF, 1.0 Mb)

Overview

This publication is intended for security and public communications practitioners. It lays the foundation in explaining what public content provenance is and why it's an important tool for organizations to establish a verifiable historical record of the content they make available online. It provides information about the range of technologies which help to establish trust in digital records along with examples of how they might be used to meet different requirements.

This publication has been jointly researched and co-authored by the Canadian Centre for Cyber Security (Cyber Centre) and the United Kingdom’s National Cyber Security Centre (NCSC). The Cyber Centre and the NCSC do not directly endorse the products, services or methodologies in this publication. The tools and standards described are a means to demonstrate how to improve cyber resilience in different contexts using combinations of technologies.

Joint guidance on principles for the secure integration of artificial intelligence in operational technology

2025-12-03T19:28:10Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the following international partners in releasing guidance on principles for the secure integration of artificial intelligence (AI) in operational technology (OT):

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Germany’s Federal Office for Information Security (BSI)
Netherlands’ National Cyber Security Centre (NCSC-NL)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
United Kingdom’s National Cyber Security Centre (NCSC-UK)
United States’ Federal Bureau of Investigation (FBI)
United States’ National Security Agency’s Artificial Intelligence Security Center (NSA AISC)

For critical infrastructure (CI) owners and operators, AI offers the potential to:

increase efficiency and productivity
enhance decision-making
save costs
improve customer experience

Despite the many benefits, integrating AI into OT environments that manage essential public services also introduces significant risks. These risks must be carefully managed to ensure the availability and reliability of CI.

This joint guidance outlines 4 key principles CI owners and operators can follow to leverage the benefits of AI in OT systems while minimizing risk:

Understand AI
Consider AI use in the OT domain
Establish AI governance and assurance frameworks
Embed safety and security practices into AI-enabled OT systems

We urge CI owners and operators to review this joint guidance and implement the principles to more securely integrate AI into OT systems.

Read the full joint publication: Principles for the secure integration of artificial intelligence in operational technology

Joint statement on malicious cyber activity targeting Canadian critical infrastructure

2025-11-27T13:23:39Z

Backgrounder: Malicious cyber activity targeting Canadian critical infrastructure

2025-11-26T21:11:30Z

The cyber threat to Canada’s water systems: Assessment and mitigation

2025-11-25T15:00:14Z

Don't take the bait: Recognize and avoid phishing attacks - ITSAP.00.101

2025-11-24T13:08:28Z

November 2025

Awareness series

ITSAP.00.101

November 2025 | Awareness series

Phishing is a form of social engineering where threat actors send communications that appear legitimate to trick or motivate individuals into:

revealing sensitive or personal information
clicking on links that direct them to malicious websites
downloading malicious attachments
transferring money

Types of phishing

Phishing attempts are often generic mass messages that appear to be legitimate messages from a trusted source (for example, a bank, online retailer, courier service, or utility company). Threat actors often take advantage of crises, conflicts or world events to launch phishing attacks against individuals, financial institutions, governments and critical infrastructure sectors.

The are several types of phishing.

Deceptive phishing

Deceptive phishing is one of the most common types of attack and occurs when a cybercriminal pretends to be a legitimate company to steal your personal information or login credentials. The threat actor may send you a link to a fraudulent website that closely mimics an official site, using deliberate misspellings that look almost identical to a legitimate URL. Threat actors may also send a quick response (QR) code, which makes it more difficult for potential victims to spot the attack.

Common deceptive phishing techniques include:

homograph exploits: threat actors use characters from different alphabets (for example, Cyrillic or Greek) that look almost identical to standard Latin letters but are coded differently, for example in “www.аррle.com” the “a” and “p” are from the Cyrillic alphabet, but look like their Latin counterparts
typo squatting: threat actors register domain names that are common misspellings of well-known websites, exploiting typing errors so that potential victims are not always aware that they are on the wrong website
legitimate-looking subdomains: threat actors take control of a subdomain that is no longer actively used by its legitimate owner or create subdomains that mimic legitimate ones (for example, “login.google.com.example.com” instead of “login.google.com”), often using names, logos or branding elements that are similar to legitimate ones

Spear phishing

Spear phishing is a personalized attack that targets a specific individual, company or organization. The message includes personal details about the potential victim, such as interests, recent online activities or purchases.

Whaling

Whaling is a personalized attack that targets a big “phish” like a CEO or executive. A threat actor chooses these targets because of their level of authority and possible access to more sensitive information or large amounts of money.

Quishing

Quishing is a phishing attack that uses QR codes. The threat actor may send a QR code via email, cover a legitimate QR code with a malicious QR code or place a malicious QR code in a public, high-traffic area. The victim scans the QR code, which redirects them to a malicious website. Quishing can bypass email security protection that scans for malicious links and attachments.

Smishing

A smishing attack uses deceptive short message service (SMS), also known as text messages, to manipulate victims into divulging sensitive personal information such as bank account details, credit card numbers or login credentials.

Vishing

Vishing is short for “voice phishing” and involves defrauding people over the phone and getting them to divulge sensitive information. A threat actor can fake or spoof their caller ID information or use a voice changer to make victims believe they are legitimate. Voices generated by artificial intelligence (AI) can sound like family members or friends.

A vishing scheme may also target the victim’s voice. In this instance, the threat actor collects a sample of the victim’s voice to conduct fraud (for example, to use the sample for voice authentication to access an account).

Angler phishing

Angler phishing is an emerging cyber threat that leverages social media platforms to post attractive but false information to “lure” targets into initiating contact. Threat actors may impersonate legitimate companies or brands through fake accounts, posts, direct messages or ads. They often create fake customer support profiles or use social media interactions (for example, responding to complaints or questions) to convince users to click on malicious links, visit counterfeit websites or share personal details.

This is a powerful attack because the target initiates contact with the threat actor—bypassing trust concerns—and provides an immediate and active interaction, rather than a passive and delayed interaction.

Catfishing

Catfishing is typically conducted through online platforms like dating websites. The threat actor fakes an identity or creates a persona to gain the target’s trust and defraud or extort them. The threat actor, or catfish, generally makes excuses to avoid in-person interactions. One of the more common forms of catfishing involves tricking the victim into an online romantic relationship.

Pharming

Pharming is a more advanced technique in which cybercriminals try to redirect users to fake websites that look identical to legitimate ones, like online banking sites, e-commerce platforms or social media networks. The goal of these attacks is to trick users into providing sensitive or personal information, such as usernames, passwords or credit card numbers.

While phishing relies on emails or messages to trick users into providing personal information, pharming uses malware or manipulates domain name systems (DNS) to redirect users to fraudulent websites designed to capture their personal information.

Artificial intelligence and phishing

AI is rapidly reshaping the cyber security landscape, introducing enhanced capabilities for defence and new avenues for exploitation. One concerning emerging threat is the use of AI to automate and refine phishing attacks. AI enhances the effectiveness of phishing attacks and reduces the time and effort needed for threat actors to conduct these attacks.

Recent advances in generative AI make it more difficult for users to identify phishing attempts. Generative AI can be used to produce highly realistic content, including text, images, video and audio. The content is enhanced and is more realistic, making it harder to distinguish between fraudulent and legitimate communications.

AI also enables threat actors to gather and analyze publicly available data on potential targets, allowing them to craft highly personalized spear phishing and whaling messages.

These messages can be tailored to reflect individual interests, online activity, familial connections or professional relationships—substantially increasing the likelihood of victims engaging with the threat actor.

AI is also playing a critical role in strengthening our cyber defences. Sophisticated AI-based intrusion detection systems can analyze large volumes of data, assess user behaviour, examine metadata and message content, and identify anomalies that may indicate a threat. These systems enable faster, more accurate identification and mitigation of phishing attempts and other cyber risks. As the threat landscape evolves, organizations must continue to invest in both AI technology and AI awareness to stay ahead of increasingly sophisticated attacks.

How to identify a phishing attack

Phishing attacks can be delivered in many ways, but they all play on trust, urgency and other aspects of human psychology. Fear, excitement, authority, curiosity and trust could all be reactions to a phishing message. Phishing attacks typically follow a similar sequence. Knowing how to identify these steps can help protect your organization against phishing.

Step 1: The bait

As described above, there are many ways that the threat actor can set the bait. They may craft a message that appears to come from a well-known bank or service provider. They use spoofing techniques and send the message to numerous recipients in the hope that some will take the bait.

In spear phishing and whaling attacks, the threat actor first gathers details about the target. For example, they harvest information from social media profiles, company websites and Internet activity to create a customized message.

In vishing attacks, the threat actor might use a computerized auto-dialler (known as a robocall) or an AI-generated voice of a known person to deliver the fraudulent message to many victims.

Step 2: The hook

The hook occurs when the victim believes the message is from a trusted source and the message contains information that entices the victim to take immediate action. For example, the message may ask the user to resolve an urgent issue with their account.

If the victim clicks the link in the message, they will unknowingly be redirected to the threat actor’s fake version of the real website. The victim provides sensitive information, such as login credentials, which is sent to the threat actor. If the victim opens an infected attachment, their device may become infected if the malicious code executes.

Step 3: The attack

Threat actors can use stolen user credentials to access the victim’s accounts. They may use an infiltrated email account to send more phishing emails to the victim’s contacts. If the victim has privileged access (for example, to an organization or company account, system or network), the threat actor could gain access to sensitive corporate data and critical systems.

If a threat actor successfully deploys malware to your organization’s network or systems, they can use it to gain control of devices, steal data or deny access to files—for example, by encrypting them—until a ransom is paid.

Phishing characteristics

Although AI is making it hard to detect certain phishing characteristics, such as poor spelling or a robotic tone, there are other signs to be aware of.

Something may be phishy if:

the sender makes an urgent request with a deadline
the sender requests your personal or confidential information
the sender asks you to log in via a provided link
the offer sounds too good to be true
the communication is unsolicited and includes:
- attachments
- links to websites or web forms (these may be spoofed)
- QR codes
- login pages
- a claim to be government or bank officials
you don’t recognize the sender
- remember, addresses can be spoofed
- a known sender isn’t necessarily a trusted sender

How to protect your organization from phishing

You can protect your organization’s information and infrastructure from phishing attacks by:

using trusted anti-phishing technology, such as the Canadian Internet Registration Authority (CIRA) Canadian Shield DNS resolver
using anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
backing up information so that you have another copy
applying software updates and patches
blocking IP addresses, domain names and file types that are known to be malicious
favouring in-person interactions, using cash and meeting in the office whenever possible; threat actors will try to find ways to avoid in-person interactions
establishing protocols and procedures for your employees to verify and report suspicious communications internally
using multi-factor authentication (MFA) on all systems, especially on shared corporate media accounts
updating your organization’s incident response plan to include steps to take in response to a successful phishing attack

Your employees can reduce their risk of falling victim to a phishing attack by:

remaining calm; phishing depends on creating a sense of urgency
avoiding sending sensitive information by email or text
reducing the amount of personal information they post online
enabling a spam blocker in their mobile device application settings
avoiding using any form of simplified contact response, such as clicking on hyperlinks, loading QR codes or replying to suspicious texts
filtering spam emails (unsolicited junk emails sent in bulk)
verifying the sender’s legitimacy by contacting the sender through a separate channel, for example:
- if they receive a call from their bank, hanging up and visiting or calling their local branch
- if they receive an email from their Internet service provider, contacting the service provider through their web form
- if they receive a text from a company or provider on their phone, responding by email from their computer
avoiding SMS over the air, flash call (a near-instant dropped call that is automatically placed to a mobile number) and SMS as an MFA method

Training and awareness

Employees should understand the importance of protecting their personal information and the organization’s information. Employees who are unaware of the signs of a social engineering attack might reveal information, whether sensitive or not. They may also unknowingly infect organizational devices, systems and networks.

Phishing attacks are less likely to be successful when your workforce is informed and has received training on how to handle personal information, such as privacy awareness training, and on cyber security best practices. Organizations should also conduct internal phishing simulations to enhance employees’ understanding of the risks. This will help employees detect and avoid phishing attacks in a safe environment.

Organizations can discuss smishing and vishing protection mechanisms with their telecommunications providers. Often, mobile network operators are better positioned to block attempts before these attempts reach users.

Learn more

Joint guidance on mitigating risks from bulletproof hosting providers

2025-11-19T14:05:31Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Cybersecurity and Infrastructure Security Agency (CISA), and the following international partners in releasing cyber security guidance on mitigating risks from bulletproof hosting (BPH) providers:

Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)
Netherlands’ National Cyber Security Centre (NCSC-NL)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
United Kingdom’s National Cyber Security Centre (NCSC-UK)
United States’ Department of Defense Cyber Crime Center (DC3)
United States’ Federal Bureau of Investigation (FBI)
United States’ National Security Agency (NSA)

A BPH provider is an Internet infrastructure supplier that intentionally markets and leases its infrastructure to threat actors. BPH providers pose a significant risk to the resilience and safety of critical systems and services.

This joint guidance provides recommendations to Internet service providers (ISPs) and network defenders to mitigate potential cybercriminal activity enabled by BPH providers. By applying these mitigations, ISPs and network defenders can help reduce the effectiveness of BPH infrastructures and potentially force threat actors to use legitimate infrastructure providers instead.

Read the full joint publication: Bulletproof defense: Mitigating risks from bulletproof hosting providers

Joint guidance on Microsoft Exchange Server security best practices

2025-10-30T16:14:44Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) as well as the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in releasing guidance on Microsoft Exchange Server security best practices.

Many organizations rely on Microsoft Exchange for critical communications, which require protection from threat actors. Reported abuse and exploitation of vulnerabilities within Exchange further demonstrates the importance of implementing security best practices.

Prevention and hardening defences are critical for Exchange servers to mitigate various types of compromises and protect the sensitive information and communications they manage.

This joint guidance provides security best practices to help administrators harden on-premises Exchange servers by enforcing a prevention posture and hardening authentication and encryption.

Read the full joint publication: Microsoft Exchange Server security best practices (PDF)

Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication (ITSM.30.031)

2025-10-30T16:10:45Z

October 2025

Management series

ITSM.30.031

October 2025 | Management series

Alternate format: Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication – ITSM.30.031 (PDF, 1.5 MB)

Overview

In the ever-evolving landscape of cyber security, the rise of adversary-in-the-middle (AitM) phishing poses a significant threat to organizations. AitM phishing has become increasingly popular among threat actors as organizations move to the cloud, shifting the frontline from defending traditional network perimeters to prioritizing identity protection.

Security requirements have grown increasingly complex, particularly in cloud environments, and threat actors have refined their tactics. As a result, implementing phishing-resistant multi-factor authentication (MFA) is critical for organizations to maintain strong cyber security.

This publication provides details on observed AitM phishing campaigns to highlight their prevalence and demonstrate the risk of leaving cloud accounts vulnerable. All findings in this publication are based on over 100 campaigns that the Canadian Centre for Cyber Security (Cyber Centre) detected targeting Microsoft Entra ID accounts between 2023 and early 2025. Although this is not a comprehensive overview of all AitM phishing campaigns happening globally, it offers a snapshot of how widespread these campaigns have become.

This publication aims to:

provide a comprehensive understanding of where these threats originate
highlight the need for all organizations to strengthen defences by employing phishing-resistant MFA by default
provide recommendations to enhance organizations’ security postures against these sophisticated campaigns

Protecting specified information in non-Government of Canada systems and organizations (ITSP.10.171)

2025-10-28T18:41:39Z

October 2025

Practitioner series

ITSP.10.171

October 2025 | Practitioner series

Alternate format: Protecting specified information in non-Government of Canada systems and organizations - ITSP.10.171 (PDF, 1.6 MB)

Foreword

This is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, contact the Contact Centre:

Effective date

This publication takes effect on April 2, 2025.

Revision history

First release: April 2, 2025
Second release: October 28, 2025

Overview

Protecting Specified Information is of paramount importance to Government of Canada (GC) departments and agencies and can directly impact the GC’s ability to successfully conduct its essential missions and functions. This publication provides GC departments and agencies with recommended security requirements for protecting the confidentiality of specified information when it resides in non-GC systems and organizations. These requirements apply to the components of non-GC systems that handle, process, store or transmit CI, or that provide protection for such components. The security requirements are intended for use by GC departments and agencies in contractual vehicles or other agreements established between those departments and agencies and non-GC organizations.

This publication is a Canadian version of the National Institute of Standards and Technology NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Cyber Centre will produce a companion publication to use in conjunction with this publication, based on NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information. That publication will provide a comprehensive set of procedures to assess the security requirements. In the interim, NIST SP 800-171A can be used as a reference.

Acknowledgments

The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at NIST for allowing the Cyber Security Guidance (CSG) team to use their guidance and modify it to the Canadian context.

Top of page

1 Introduction

This publication is a Canadian version of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. There are no substantial technical changes between this publication and NIST SP 800-171. The primary modifications arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape; there are no changes to the underlying technical context.

The controls are aligned with Security and privacy controls and assurance activities catalogue (ITSP.10.033), which is a version of NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations adapted to the Canadian context.

Specified information includes any information, other than classified, that a GC authority identifies and qualifies in a contract as requiring safeguarding. Protected information, as well as the safeguarding and dissemination requirements for such information, is defined by the Treasury Board of Canada Secretariat TBS Directive on Security Management, Appendix J: Standard on Security Categorization and is codified in the TBS Policy on Privacy Protection. We use the term “specified information” in place of “controlled unclassified information” (CUI) which is used in the US document.

GC departments and agencies are required to follow the policies and directives published by TBS when using federal systems to handle, process, store, or transmit information^{Footnote 1}.

The responsibility of GC departments and agencies to protect specified information remains the same when sharing it with non-GC organizations. Therefore, a similar level of protection is needed when non-GC organizations using non-GC systems handle, process, store or transmit specified information. To maintain a consistent level of protection, the security requirements for safeguarding specified information in non-GC systems and organizations must comply with the TBS Policy on Government Security, TBS Policy on Service and Digital, and TBS Policy on Privacy Protection.

The security controls and activities presented in this publication outline requirements for federal contracting.

This publication does not contain the complete set of privacy-related controls and activities described in ITSP.10.033. Rather, it contains a subset of privacy-related controls that are shared with confidentiality-related controls.

1.1 Purpose

This publication provides GC departments and agencies with recommended security requirements for protecting the confidentiality of specified information when in resides in non-GC systems and organizations and where there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the specified information category.

The security requirements in this publication are only applicable to components^{Footnote 2} of non-GC systems that handle, process, store, or transmit specified information or that provide protection for such components. The requirements are intended to be used by GC departments and agencies in contractual vehicles or other agreements established with non-GC organizations.

It is important that non-GC organizations scope requirements appropriately when making protection-related investment decisions and managing security risks. By designating system components for handling, processing, storing or transmitting specified information, non-GC organizations can limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains can use physical separation, logical separation, or a combination of both. This approach can provide adequate security for specified information and avoid increasing the non-GC organization’s security posture beyond what it requires for protecting its missions, operations and assets.

1.2 Audience

This publication is intended for various individuals and organizations in the public and private sectors, including:

GC departments and agencies responsible for managing and protecting specified information
non-GC organizations responsible for protecting specified information
individuals with system development lifecycle (SDLC) responsibilities
individuals with acquisition or procurement responsibilities
individuals with system, security, privacy or risk management and oversight responsibilities
individuals with security or privacy assessment and monitoring responsibilities

1.3 Publication organization

The remainder of this publication is organized as follows:

Section 2 Fundamentals describes the assumptions and methodology used to develop the security requirements for protecting the confidentiality of specified information, the format of the requirements, and the tailoring criteria applied to the Cyber Centre guidelines to obtain the requirements
Section 3 Requirements lists the security requirements for protecting the confidentiality of specified information in non-GC systems and organizations

The following sections provide additional information to support the protection of specified information:

Annex A: Tailoring criteria
Annex B: Organization-defined parameters

Top of page

2 Fundamentals

This section describes the assumptions and methodology used to develop the requirements to protect the confidentiality of specified information in non-GC systems and organizations. It also includes the tailoring criteria applied to the controls in ITSP.10.033.

2.1 Security requirements assumptions

The security requirements in this publication are based on the following assumptions:

GC information designated as specified information has the same value regardless of whether such information resides in a GC or a non-GC system or organization
statutory and regulatory requirements for the protection of specified information are consistent in GC and non-GC systems and organizations
safeguards implemented to protect specified information are consistent in GC and non-GC systems and organizations
the confidentiality impact value for specified information is no less than low (Protected A), but will be medium for most large GC datasets
non-GC organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements

2.2 Security requirement development methodology

Starting with the ITSP.10.033 controls in the ITSP.10.033-01 Medium impact profile, the controls are tailored to eliminate selected controls or parts of controls that are:

primarily the responsibility of the GC
not directly related to protecting the confidentiality of specified information
adequately addressed by other related controls
not applicable

ITSP.10.171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of specified information. The security requirements are organized into 17 families, as illustrated in Table 1. Each family contains the requirements related to its general security topic. Certain families from ITSP.10.033 are not included because they do not directly contribute to confidentiality. For example, the Personal information handling and transparency (PT) family is not included because it is about handling personal information (PI), not about the confidentiality of the PI. The Program management (PM) family is not included because it is not related to confidentiality. Finally, the Contingency planning (CP) family is not included because it addresses availability.

The following are the security requirements families:

Access control
Awareness and training
Audit and accountability
Configuration management
Identification and authentication
Incident response
Maintenance
Media protection
Personnel security
Physical protection
Risk assessment
Security assessment and monitoring
System and communications protection
System and information integrity
Planning
System and services acquisition
Supply chain risk management

Organization-defined parameters (ODPs) are included in certain security requirements. ODPs provide flexibility through the use of assignment and selection operations to allow GC departments and agencies and non-GC organizations to specify values for the designated parameters in the requirements. Assignment and selection operations allow security requirements to be customized based on specific protection needs. The determination of ODP values can be guided and informed by laws, Orders in Council, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, ODP values become part of the requirement. When present in a control or activity statement, the square brackets indicate that there is an ODP that needs to be inserted by the reader in order for an organization to tailor the control to their context.

ODPs are an important part of specifying a security requirement. ODPs provide both the flexibility and the specificity needed by organizations to clearly define their specified information security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, ODPs support consistent security assessments to determine if specified security requirements have been satisfied. If a GC department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an ODP, non-GC organizations must assign the value or values to complete the security requirement.

Each requirement includes a discussion section, derived from the control discussion sections in NIST SP 800-53. These sections provide additional information to facilitate the implementation and assessment of the requirements. They are informative, not normative. The discussion sections are not intended to extend the scope of a requirement or to influence the solutions that organizations may use to satisfy a requirement. Examples provided are notional, not exhaustive, and do not reflect all the potential options available to organizations. The “References” section provides the source controls or assurance activities from ITSP.10.033, and a list of relevant publications with additional information on the topic described in the requirement.

Because this is the first iteration of the Canadian publication, controls that were withdrawn in NIST SP 800-171 Revision 3 have been labelled as “not allocated” to keep the same numbering for interoperability purposes.

The structure and content of a typical security requirement is provided in the example below.

The term “organization” is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an ODP, an organization can refer to either the GC department or agency or to the non-GC organization establishing the parameter values for the requirement.

Annex A describes the security control tailoring criteria used to develop the security requirements and the results of the tailoring process. It provides a list of controls and activities from ITSP.10.033 that support the requirements and the controls and activities that have been eliminated from the Medium impact profile in accordance with the tailoring criteria.

Top of page

3 Requirements

This section describes 17 families of security requirements for protecting the confidentiality of specified information in non-GC systems and organizations. In this section, the term “system” refers to non-GC systems or system components that handle, process, store or transmit specified information, or that provide protection for such systems or components. Not all security requirements mention specified information explicitly. Requirements that do not mention specified information explicitly are included because they directly affect the protection of specified information during its processing, storage or transmission.

There may be limitations to how some systems, including specialized systems (e.g., industrial/process control systems, medical devices, or computer numerical control machines) can apply certain security requirements. To accommodate such issues, the system security plan — as reflected in requirement System security plan 03.15.02 — is used to describe any enduring exceptions to the security requirements. Plans of action and milestones are used to manage individual, isolated or temporary deficiencies, as reflected in requirement Plan of action and milestones 03.12.02.

The security requirements in this section are only applicable to components of non-GC systems that process, store or transmit specified information or that provide protection for such components.

3.1 Access control

The controls in the Access control family support the ability to permit or deny user access to resources within the system.

03.01.01 Account management

Series of joint guidance on modern defensible architecture

2025-10-23T14:05:12Z

Czech Republic’s National Cyber and Information Security Agency (NÚKIB)
Germany’s Federal Office for Information Security (BSI)
Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC)
Japan’s National Cybersecurity Office (NCO)
Japan’s National Police Agency (NPA)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
Republic of Korea’s National Intelligence Service (NIS)

MDA is ASD’s ACSC initiative to ensure that organizations consider and actively apply secure design and architecture in their cyber security strategy, resilience planning and implementations.

This series of guidance includes 3 publications.

Foundations for modern defensible architecture

This joint guidance provides organizations with a baseline of secure design and architecture practices that prepare them to adapt to current and emerging cyber threats and challenges.

Read the full joint publication: Foundations for modern defensible architecture

Modern defensible architecture for senior decision makers

This joint guidance aims to assist senior decision-makers in understanding the contemporary threat landscape and how MDA can support organizations in defending against current threats and preparing for future threats.

Read the full joint publication: Modern defensible architecture for senior decision makers

Investing in modern defensible architecture

This joint guidance aims to assist organizations in developing an MDA investment roadmap based on their organizational:

strategy
business and security objectives
risk profile
threat context

Read the full joint publication: Investing in modern defensible architecture

Security considerations for Internet Protocol version 6 (ITSM.80.003)

2025-10-10T17:23:26Z

October 2025

Management series

ITSM.80.003

October 2025 | Management series

Alternate format: Security considerations for Internet Protocol version 6 - ITSM.80.003 (PDF, 551 KB)

Foreword

This is an unclassfied, publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:

email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88

Effective date

This publication takes effect on October 10, 2025.

Revision history

First release: October 10, 2025.

Joint guidance on creating and maintaining a definitive view of your operational technology architecture

2025-09-29T12:06:35Z

The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the following international partners in releasing guidance on creating and maintaining a definitive view of operational technology (OT) architecture:

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Germany’s Federal Office for Information Security (BSI)
Netherlands’ National Cyber Security Centre (NCSC-NL)
New Zealand’s National Cyber Security Centre (NCSC-NZ)
United States’ Cybersecurity and Infrastructure Security Agency (CISA)
United States’ Federal Bureau of Investigation (FBI)

This joint guidance defines a principles-based approach that OT organizations can use to build, maintain and store their system’s understanding. It is intended for cyber security professionals working in OT organizations across greenfield and brownfield deployments and includes the following principles:

Principle 1: Defining processes for establishing and maintaining the definitive record
Principle 2: Establishing an OT information security management program
Principle 3: Identifying and categorizing assets to support informed risk-based decisions
Principle 4: Identifying and documenting connectivity within your OT system
Principle 5: Understanding and documenting third-party risks to your OT system

Cyber security professionals can use these principles as a framework to develop a comprehensive record of their systems.

This joint guidance has been developed with contributions from partnering agencies and is part of a series of publications aiming to draw attention to the importance of cyber security in operational technology.

Read the full joint publication: Creating and maintaining a definitive view of your operational technology (OT) architecture

Statement from the Canadian Centre for Cyber Security on malware targeting global organizations through Cisco Systems

2025-09-25T16:04:29Z

The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), is urging Canadian organizations to take immediate action to protect themselves in response to a serious new cyber security threat identified today by Cisco: Cisco Event Response: Continued Attacks Against Cisco Firewalls. This threat affects end-of-life Cisco ASA devices.

Timing is crucial when vulnerabilities like these are identified. We strongly recommend network defenders bolster their defences based on our latest alert and advisory, and apply appropriate patches immediately.

Read the Cyber Centre's alert on this threat: AL25-012 - Vulnerabilities impacting Cisco ASA and FTD devices – CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363
Read the Cyber Center's advisory on this threat: Cisco security advisory (AV25-619)

This threat activity uses advanced techniques to avoid detection, making it difficult to identify through conventional means. If you believe your organization may be affected, please call us 1-833-CYBER-88 or email contact@cyber.gc.ca as soon as possible.

Quotes

"This is a critical moment for Canadian organizations. Threat actors are targeting legacy systems with increasing sophistication. I urge all critical infrastructure sectors to act swiftly. The Cyber Centre stands ready to assist. Early action is the best defence to protect your systems and safeguard your information."

- Rajiv Gupta, Head of the Canadian Centre for Cyber Security

Background

The Cyber Centre is aware of cyber threat activity against Cisco ASA 5500-X Series devices involving the deployment of highly sophisticated malware, targeting global organizations. These types of devices are commonly used by organizations across Canada.

Expert teams at the Cyber Centre are actively investigating the vulnerability’s scope and have initiated outreach to support stakeholders and coordinate a unified response.

Together, through vigilance and collective action, we can continue to strengthen Canada’s cyber resilience from coast to coast to coast.

For more information on vulnerabilities, please visit the Cyber Centre’s Alerts and advisories page.

For best practices, please visit the Cyber Centre’s Guidance page.

Recommended Contract Clauses for Cryptography (ITSM.00.501)

2025-09-22T19:38:33Z

September 2025

Management series

ITSM.00.501

September 2025 | Management series

Alternate format: Recommended Contract Clauses for Cryptography – ITSM.00.501 (PDF, 462 KB)

Foreword

This is an unclassfied, publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:

email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88

Effective date

This publication takes effect on September 2025.

Revision history

First release: September 1, 2025

Threat detection for SharePoint vulnerabilities

2025-09-05T14:11:58Z

The Canadian Centre for Cyber Security (Cyber Centre) is actively tracking multiple campaigns exploiting recently disclosed critical vulnerabilities in on-premises Microsoft SharePoint servers, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. These widespread campaigns leverage an exploit chain known as ToolShell.

To help defenders combat attacks leveraging these vulnerabilities, the Cyber Centre has compiled a detailed analysis derived from recent investigations. This analysis outlines the full attack path, examines the evolution and use of the ToolShell exploit chain, and provides an in-depth characterization of the threat actor’s techniques, along with critical mitigation and detection guidance.

Cyber security hygiene best practices for your organization - ITSAP.10.102

2025-09-04T12:56:09Z

September 2025

Awareness series

ITSAP.10.102

September 2025 | Awareness series

Cyber security hygiene refers to the best practices your organization can take to maintain the overall health and security of your IT environment. Your cyber security hygiene helps you better defend your networks, systems and data from threat actors.

Threat actors, even in more sophisticated attacks, leverage common vulnerabilities and weaknesses to attack systems and gain initial access. By building a solid cyber security foundation, your organization is better positioned to protect, defend and recover from cyber incidents.

Cyber security hygiene checklist

The following checklist provides actions your organization can take to strengthen your cyber security.

While not all actions may be feasible, you should prioritize implementing those that are most impactful and sustainable for your organization. Doing so will enhance your cyber security posture.

Network and endpoint protection

Protect your network and endpoints with the following tools
- anti-virus and anti-malware software
- network protocol inspection tools
- endpoint detection and response
- firewalls
- wireless intrusion detection and prevention systems
- mobile endpoint threat management solutions and mobile threat defence products
Segment your networks to stop traffic from flowing to sensitive or restricted zones
Implement a security information and event management system to enable real-time, continuous monitoring to identify anomalies in your
- network traffic
- wireless access points
- mobile device gateways
Monitor your security critical components, including the
- Domain Name System (DNS) server
- authentication server
- public key infrastructure
Implement protective DNS to prevent users from inadvertently visiting potentially malicious domains on the Internet
Regularly renew cryptographic keys to maintain secure communications
Document secure baseline configurations for all your IT, operational technology components and cloud infrastructure
Establish and maintain a configuration management database
Conduct and maintain an inventory of your IT assets
Manage and detect unauthorized assets by developing and maintaining IT asset management procedures that ensure proper tagging and labelling of hardware and software assets

Top of page

System protection

Enable automatic updates and patches for your firmware, hardware, software and operating systems, especially for Internet-exposed services and systems
Patch operating systems and applications promptly after assessing organizational risk and confirming compatibility with your environment
Enforce phishing-resistant multi-factor authentication (MFA) for all accounts and systems, especially those with administrative privileges
Encourage the use of strong, unique, and confidential passphrases or passwords where MFA is not technically feasible
Ensure administrators use dedicated workstations that do not allow web browsing or email access
Regularly review and update user privileges, such as
- remove users no longer in your organization
- edit user privileges if users no longer require access to certain data or systems
- limit administrative privileges to a small number of users
- require two-person integrity for administrative privileges
- conduct administrative functions from a dedicated administrative workstation
Apply the principle of least privilege, ensuring users only have the set of privileges that are essential to performing authorized tasks
Consider role-based access control
Manage mobile devices with unified endpoint management software
Implement application allow lists to control what applications and components are allowed on your networks and systems
Assess third-party applications to identify and disable unnecessary components or functions or require human intervention before activation (for example, macros)
Disable autorun or autoplay on all your operating systems and web browsers to avoid automatic installations of unauthorized software
Establish an incident response plan and conduct annual tests to ensure timely restoration of critical functions and effective recovery
Categorize your assets to identify those that are most critical to your organization's operations
Regularly backup critical data and systems to offline storage, ensuring backups are isolated from network connections
Test your backups periodically to ensure data and systems can be recovered quickly and successfully
Proactively manage device lifecycles to address vulnerabilities in end-of-life or end-of-service-life devices, which often remain unpatched and increase security risks

Top of page

User education and additional protective measures

Provide ongoing, tailored cyber security training to ensure your employees know how to respond to suspicious links or emails
Provide privacy awareness training to your employees to reduce the risk of privacy breaches
Identify and subscribe to relevant security information sources or alert services to stay informed about threats that could impact your organization
Develop an internal and external contact list of key stakeholders to alert during cyber threat events

Top of page

Virtualizing your infrastructure (ITSAP.70.011)

2025-09-04T11:54:22Z

September 2025

Awareness series

ITSAP.70.011

August 2025 | Awareness series

Virtualization is a method of hardware abstraction that allows the creation of software versions of IT systems and services which are traditionally implemented on separate physical hardware. These software versions, or virtual instances, can dramatically increase efficiency and decrease costs. Virtualization uses hardware to its full capacity by distributing its capabilities among many different services.

Before implementing virtualization within your organization, you should understand the associated risks and ensure you protect your network, systems and information. This guidance covers the basics virtualization, how your organization can benefit from it and the potential risks involved.

How virtualization works

To run your systems and services virtually there are 3 main components.

Virtual machine

With virtualization, you can run your applications on fewer physical servers. Applications and software run virtually on a simulated computer system called a virtual machine (VM). The VM has all the features of a computer server, without needing the physical hardware attached. A hypervisor supports the VM.

Hypervisor

The hypervisor provides the layer of abstraction between the underlying hardware and hosted virtual machines. An abstraction layer can hide or show as much detail about your system as you want. The hypervisor allocates resources, such as centralized processing unit access, storage and memory, to multiple VMs. This allows them to run concurrently on the same underlying hardware as though they each had their own dedicated hardware.

The use of hypervisor technology may allow for quicker builds and snapshots of VM images. The administration of the hypervisor should be done using a dedicated administrator workstation (DAW). DAWs are limited-use workstations that can only be used by those who have privileged access to perform administrative tasks. They are meant to increase the security of your network.

There are 2 types of hypervisors:

bare-metal hypervisor (also known as Type 1), which runs directly on physical hardware
hosted (also known as Type 2), which runs as an application on a host operating system

Hypervisor technologies may also provide additional functionality or features such as the use of VM snapshots and backups, virtual networking capabilities between VMs, VM monitoring and more. Note, that the use of a hypervisor may incur additional overhead.

Hardware servers

A single hardware server may support multiple VMs. Without virtualization, idle applications have resources that are unused, for example:

processing power
RAM
storage

With virtualization, hardware servers can be used at full capacity to offer the hypervisor all the resources necessary to support the VMs.

Figure 1: Hardware server supporting a virtual machine

Long description – Figure 1: Hardware server supporting a virtual machine

Universal plug and play (ITSAP.00.008)

2025-09-03T18:32:08Z

September 2025

Awareness series

ITSAP.00.008

September 2025 | Awareness series

Universal plug and play (UPnP) is a protocol that allows devices on the same network to automatically discover, connect to and interact with one another. Common examples of devices that use UPnP include:

mobile devices
smart devices (for example, speakers, televisions and cameras)
computers
gaming systems
printers
Wi-Fi devices
routers

While UPnP services can be convenient for automating device connectivity, it can expose you to several security risks. We therefore recommend disabling UPnP, especially on perimeter devices such as home routers that manage firewalls, switches and Wi-Fi access points for other connected devices. Before you disable UPnP, check what level of security your devices need, since some require the service to work properly.

How universal plug and play is used

UPnP is used to connect devices seamlessly within a local network. It allows you to automatically connect smart devices, gaming consoles and computers, media streaming devices and remote device control. UPnP allows compatible devices to interact and work together within a related network for versatility and convenience. Here are some examples of how UPnP is commonly used.

Smart devices

Smart devices use UPnP to communicate with each other, allowing them to automatically adjust settings or change their environment based on the actions of other devices. For example, smart lighting that changes colour or brightness in response to temperature changes detected by a connected smart thermostat.

Gaming consoles and computers

Gaming consoles can discover and connect with each other to join multiplayer sessions and share game content in real time.

Media streaming

Devices that support media streaming can share and stream videos, music and photos among other UPnP-enabled devices.

Remote access

You can use remote device control from a smartphone or computer to control actions or settings on UPnP-supported devices. For example, UPnP can be used to remotely lock or unlock a smart lock to your house.

Related risks

While UPnP-enabled devices are convenient, they also introduce potential security risks because they often operate with minimal authentication or access controls. As a result, devices and networks using UPnP may be exposed to several common threats that can compromise security and privacy.

Malware

Threat actors can compromise UPnP-enabled devices with malware. For example, they may use distributed denial-of-service (DDoS) attacks to configure UPnP devices to be accessible and ready to receive and send data.

Unauthorized access

Any UPnP devices connected to a common network can be compromised by someone who gains access to that network. This could be a threat actor exploiting a device connected to the network or a local user accessing a connected device (for example, an insider threat).

The two main ways devices using UPnP on a network can be compromised include:

external threats: attackers who gain unauthorized access to your network (for example, by exploiting a vulnerable device) can target UPnP-enabled devices to manipulate device settings, intercept communications, or install malware
insider threats: individuals with legitimate access to the local network that tamper with or misuse UPnP-connected devices, including reconfiguring devices, accessing sensitive data or intentionally weakening network security

Network configuration

UPnP offers control of network configuration settings, such as port forwarding, which threat actors can leverage to bypass firewalls, change access lists, or modify security measures. This makes it difficult to detect and block malicious traffic. Threat actors can also use a UPnP-connected device to manipulate network configuration to expose router web administration details, redirect traffic to malicious external servers, modify credentials and control internal connections and device activities.

Data sharing

Connected UPnP devices share data that allows them to interact with each other and to action certain activities. This can pose a privacy risk if devices that handle sensitive information connect and share data with other devices on the network.

How to secure your devices

The most effective way to protect against UPnP-related attacks is to disable the service entirely. If disabling UPnP is not an option, you can reduce vulnerabilities to your network by:

restricting UPnP access by creating a virtual local area network (VLAN) or a separate network zone to isolate UPnP-enabled devices from other devices on your network
updating devices regularly and enabling automatic updates where available to further mitigate the risk of threat actors taking control of your devices and leveraging UPnP protocols maliciously
logging and regularly monitoring device activity for any irregularities and potential threats
regularly reviewing security settings and port-forwarding rules on your router and any other networking devices you own
keeping up to date with new and emerging technologies and threats by reading Cyber Centre resources and publications
training employees on and spreading awareness of cyber security best practices to identify, understand and manage potential threats to your systems
using Canadian Internet Registry Authority (CIRA) tools and services to strengthen security if your router needs to be UPnP-enabled

How to disable universal plug and play on a home router

The steps to disable UPnP on your home router will vary depending on the make and model of the router, but generally, you should follow these 3 steps:

Log into your router's administrative or configuration webpage
Select the UPnP settings that are often found under the "advanced" or the "NAT forwarding" configuration options
Choose the option to "disable UPnP"

If you choose not to disable UPnP on your home router, you can block ports associated with UPnP at the Internet gateway. This helps prevent unauthorized external devices from accessing internal devices using UPnP.

Guidance, news and events

Suggested organizational security and privacy control and activity profile — Medium impact (ITSP.10.033-01)

Foreword

Effective date

Revision history

Overview

Table of contents

Security and privacy controls and assurance activities catalogue (ITSP.10.033)

Table of contents

List of figures

Cyber security and privacy risk management: A lifecycle approach

EtherHiding: The trojan in your toolchain

Table of contents

Joint guidance on securing space and cyber security for low earth orbit satellite communications

Top 10 artificial intelligence security actions: A primer - ITSAP.10.049

Pillar 1: Protecting against adversarial use of AI

Action 1: Implement prompt injection and jailbreak mitigations

Action 2: Defend against deepfake and impersonation

Action 3: Harden defences against AI powered cyber attacks and fraud

Pillar 2: Protecting AI systems

Action 4: Conduct testing and red teaming of AI to identify modifications

Action 5: Safeguard against data poisoning

Action 6: Implement data usage controls and model theft prevention

Action 7: Secure AI engineering and supply chain processes

Pillar 3: Protecting users and business processes

Action 8: Enforce data privacy, vendor and contractual controls

Action 9: Ensure that human-in-the-loop oversight and execution controls are in place

Action 10: Maintain operational resilience against model drift, hallucinations, bias and overreliance

Joint guidance on supply chain risks and mitigations for artificial intelligence and machine learning

Cyber threat bulletin: Iranian Cyber Threat Response to US/Israel strikes, February 2026

Overview

Iran uses cyber program to retaliate, achieve geopolitical goals

Characteristics of Iranian cyber threat activity

Useful resources

About this document

Contact

Assessment base and methodology

Estimative language

Joint guidance on malicious cyber threats to SD-WAN networks

Quote

Background

Mitigation advice

Additional resources

CSE calls on Canadian organizations and critical infrastructure providers to strengthen defences on fourth anniversary of Russia’s invasion of Ukraine

Recommended actions

Related resources

Security considerations for SIMs (ITSAP.10.021)

On This Page

Difference between a SIM card and an eSIM

Considerations for eSIMs

SIM swapping

How SIM swapping happens

Calling your provider

Stealing your credentials

Exploiting insider access

Consequences of SIM swapping

Individual risks

Organizational risks

The signs of SIM swapping

How to protect your SIM

Organization-specific security measures

Learn more

GeekWeek 11

Detection and Deception

Venue

Event date

Registration information

Keynote speaker

Participating organizations

Topics and themes

The cyber threat to marine transportation

Table of contents

Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140

Foreword

Effective date

Revision history

Overview

Table of contents

Spotting malicious email messages (ITSAP.00.100)

On this page