Getting Started With

Cybersecurity
Lesson Scripts
1.0
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

9/21/2023
TABLE OF CONTENTS

Firewall 4
Network Access Control 7
Sandbox 9
Web Application Firewall 11
Secure Email Gateway 13
Content Filters 15
Wi-Fi 17
Endpoint Hardening Techniques 19
Endpoint Monitoring 23
SOAR 25
SIEM 27
Secure SD-WAN 29
ZTNA 31
Cloud Services Models 33
SASE 35
Firewall

Welcome to the Firewall lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives.

As networks began to grow, interconnect with one another, and eventually connect to the internet, it became
important to control the flow of network traffic. Firewalls became a means of control that had to evolve and change
alongside networks. They are classified into generations defined as first-generation packet filter firewall, also
know as stateless firewall, second-generation stateful firewall, third-generation firewall, and next-generation
firewall (NGFW).

The first generation of firewall is a packet filter firewall, also known as a stateless firewall. It examines the routing
and transport layer protocols information such as source and destination network addresses, protocols, and port
numbers. Firewall policies use these attributes to define which packets are allowed through. The rules are ordered
in a list and the potential match is performed in order from top to bottom. The last firewall policy can be implicit,
denying the packet by default, or explicit, performing the corresponding configured action or either allowing or
denying the packet.

A stateless firewall allows a packet to pass if the network addresses, protocol, and port number match those of its
firewall policy. If it does not, the packet is either silently dropped or blocked.

Click the buttons for more information.

A drawback of a stateless firewall is that it requires additional configuration to offer a suitable level of protection.
For example, it requires an additional firewall policy for return traffic in a session. It also fails to appropriately
manage protocols. Stateless firewalls open random ports and use multiple connections, like FTP, with its control
and data connections.

Stateless firewalls use a “one-size-fits-all” approach to decide whether to allow traffic to pass. Because of this
open approach, bad actors can potentially bypass firewall rules and inject rogue packets through acceptable
protocols and ports, or exploit bugs in a computer networking software.

The second generation of firewall, known as a stateful firewall, offsets the limitations of the stateless firewall by
developing additional criteria for blocking or allowing traffic.

A stateful firewall is designed to observe the network connections over time by tracking the 5-tuple check and the
connection state in its session table. It watches as new network connections are made, and continuously
examines the traffic going back and forth between the endpoints. If a connection behaves improperly or if the
return traffic does not match the corresponding incoming traffic, the firewall blocks that connection. Any packet
that does not belong to a known conversation or does not match an allowed firewall policy is dropped.

Click the button for more information.

While stateful firewalls are an improvement, they still cannot block rogue packets if they are using an acceptable
protocol, such as HTTP. The explosion of the World Wide Web promoted HTTP as one of the most frequently
used network protocols. The problem is that HTTP is used in many ways, such as in static text content, e-
commerce, file hosting, and many other types of web applications. Because they all use the same port number,
the firewall is not able to distinguish between them.

4 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Firewall

Network administrators need to distinguish between approved and malicious applications to determine which
ones to pass or block. Firewalls must look deeper into the data payloads to determine how protocols such as
HTTP are used.

The third generation of firewall looks deeper into the data payloads. While still stateful, these firewalls understand
the application layer protocols and control different uses of the same basic protocol. This is known as application
layer filtering. Firewalls that implement application layer filtering can understand protocols such as HTTP, FTP,
and DNS.

HTTP can distinguish between browser traffic, a blog, a file sharing site, e-commerce, social media, voice-over-IP
and email. UTM firewalls also combine additional protections like antivirus, antispam, an intrusion prevention
system (IPS), and a virtual private network (VPN).

Click the underlined terms for more information.

Today, the prevalence of the internet has changed the way of working, playing, entertaining, and doing
commerce. Businesses have evolved to take advantage of cheaper, multi-cloud services, and the convenience of
mobile and IoT devices has dramatically expanded network edges, thereby increasing the attack surface.

Just as the internet has evolved, so have threat actors. They continue to change in terms of attack methods and
level of sophistication. Attacks can now come from trusted users, devices, and applications that spread malware,
both unknowingly and with malicious intent.

A firewall must prevent evolving cyberattacks at every edge of the network while delivering security, reliability, and
network performance. Next-generation firewalls, like FortiGate, provide these advanced security capabilities.

A next-generation firewall operates like airport security, with both having multiple security checkpoints. Just as a
security agent looks at your boarding pass as a first line of defense, a next-generation firewall looks at packets
and makes rule-based decisions whether to allow or drop the traffic.

Next, your travel bags are checked by security to see if you are carrying any banned or malicious items. This is
similar to the way a next-generation firewall performs deep packet inspection (DPI).

Click the underlined term for more information.

If suspicious items are found in your travel bag, an airport security agent sets the bag aside for enhanced
screening. In a similar vein, the next-generation firewall sends malicious content to a sandbox for further analysis.

Click the underlined term for more information.

As networks continue to evolve and introduce new challenges, next-generation firewalls also continue to evolve.
For example, next-generation firewalls can control applications, either by classification or by who the user is.
Application-level security helps protect web-browsing clients from attacks and threats.

Next-generation firewalls also adopted various segmentation approaches that segregate users, devices, and
applications that are aligned to business needs. By segmenting networks rather than using a flat network, the
firewall helps eliminate a single point of entry, which used to make it easier for cybercriminals to enter and spread
threats across the network. Within these challenges, firewalls are evolving from reactive to proactive devices,
using artificial intelligence to enforce security policies.

Next-generation firewalls also deliver high-performance inspection and greater network visibility, with little to no
degradation, to support and protect modern, distributed data centers located within a complex and hybrid IT
infrastructure. Hybrid data centers offer businesses greater agility, flexibility, and scale on demand, as well as an
expanded attack surface that requires an equally evolved security strategy. High-performance inspection includes
applications, compute resources, analytics, encrypted data that moves throughout the infrastructure, and data
storage across multiple private and public clouds.

Getting Started in Cybersecurity 1.0 Lesson Scripts 5

Fortinet Technologies Inc.
 Firewall

You have completed the lesson.

6 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Network Access Control

Hello! In this lesson, we will introduce you to Network Access Control (NAC) and explain how it has evolved.

NAC is an appliance or virtual machine that controls device access to the network. It began as a network
authentication and authorization method for devices joining the network, which follows the IEEE 802.1X
standards. The authentication method involves three parties—the client device, the authenticator, and the
authentication server. The authenticator could be a network switch or wireless access point that demarks the
protected network from the unprotected network. The client provides credentials in the form of a username and
password, digital certificate, or some other means, to the authenticator, which forwards these credentials to the
server. Pending on the outcome of authentication, the authenticator will either block the device or allow it access
to the network. Another method to control access to a network, especially a publicly available network, is a captive
portal. If you’ve ever connected to a network in an airport, hotel, or coffee shop, you might remember interacting
with a web page that asked you to agree to legal terms before granting access.

Later, NAC evolved to accommodate guest access, Bring Your Own Device (BYOD), and the Internet of Things
(IoT). For a couple of reasons, BYOD and IoT devices introduced new security challenges. One, BYODs are
personally owned, not assets of an organization. So, MIS does not control what runs on these devices, for
example, antivirus software or unsafe applications. Two, IoT devices are hardware with a sensor that transmit
data from one place to another over the internet, dramatically expanding the attack surface. Organizations buy
IoT-enabled devices from other vendors, and these devices connect back to vendor networks to provide
information about product use and maintenance needs. Organizations tolerate this situation because IoT devices
save them time and money. For example, if a printer is low on toner, the vendor could notify the network
administrator by email, or even deliver new toner cartridge automatically. In a smart home, IoT devices regulate
heat and humidity, remotely control the locks on doors, monitor what’s in the fridge, and even help with your
grocery list s.

The evident convenience of these devices has made them wildly popular and numerous. However, the variety of
devices, the lack of standards, and the inability to secure these devices make them a potential conduit for
contagion to enter the network. Many IoT devices lack the CPU cycles or memory to host authentication and
security software. They identify themselves using a shared secret or unique serial number, which is inserted
during manufacturing. But this authentication scheme is very limited—should the secret become known, there is
likely no way to reset it, and without the ability to install security software, there is little visibility into those devices.
Fortunately, NAC evolved to solve these weaknesses.

When MIS introduces NAC into a network, the first thing NAC does is create profiles of all connected devices.
NAC then permits access to network resources based on the device profile, which is defined by function. This is
similar to granting individuals access to sensitive information based on their need to know. For example, NAC
would permit an IP camera connection to a network video recorder (NVR) server, but would prevent it from
connecting to a finance server. Based on its profile, an NVR has no business communicating with a finance
server. When access is granted this way, the network becomes segmented by device function. If a device is
compromised, malware can infect only those objects that the device is permitted to connect to. So, the
compromised IP camera from the earlier example could infect the NVR server, but not the finance server.

While NAC proved highly effective at managing numerous unprotected devices, it had shortcomings over its
evolution. Some NAC solutions were designed to help with BYOD onboarding in wireless networks, but performed
badly in the wired portion of the network. Other solutions were developed to work within a single vendor
environment, but couldn’t automatically profile third-party devices. Some had good visibility into small, simple
networks, but didn’t scale well into large, distributed networks.

Getting Started in Cybersecurity 1.0 Lesson Scripts 7

Fortinet Technologies Inc.
 Network Access Control

Today, most NAC solutions have redressed these limitations. They have more complete visibility into the network
and are better at categorizing devices automatically. They effectively perform in both Ethernet and wireless
networks. Many NAC solutions have centralized architecture that improves managing devices across large and
multisite networks. Critically, NAC must also be integrated into the security framework, so that when a breach is
detected, NAC automatically notifies the security operations center (SOC) and coordinates with other security
devices to neutralize the threat.

Fortinet offers a network access control solution, named FortiNAC™. It contains all of the features identified in this
lesson.

Thank you for your time, and please remember to take the quiz that follows this lesson.

8 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Sandbox

Hello! In this lesson, we will explain what a Sandbox is, Why it was invented, and How it has evolved.

A sandbox, within the computer security context, is a system that Confines the actions of an application, such as
opening a Word document or a browser, to an Isolated virtual environment. Within this safe virtual environment,
the sandbox studies the various application interactions to uncover any malicious intent. So if something
unexpected or dangerous happens, it affects only the sandbox, and not the other computers and devices on the
network.

Sandbox technology is typically managed by an organization’s information security team, but is used by network,
applications, and desktop operations teams to bolster security in their respective domains.

Threat actors exploit vulnerabilities in legitimate applications to compromise the device, and from there move
through the network to infect other devices. Exploiting an Unknown vulnerability is known as a Zero-day attack.
Before sandboxing, there was no effective means to stop a zero-day attack. Firewalls and antivirus software could
stop known threats, but they were helpless against zero-day attacks.

A sandbox provided an isolated virtual environment that mimicked various computer devices, operating systems,
and applications. It allowed potential threats to play out within the safety of these virtual systems. If the sandbox
concluded that the suspicious file or activity was benign, no further action was needed. However, if it detected
malicious intent, the file could be quarantined or the activity could be stopped on the real device.

Many of the early sandboxes failed to tightly integrate with other security devices within the network. While a
sandbox might identify and defeat a zero-day attack, this vital threat intelligence was not always shared with the
other network security devices in a timely fashion. However, the failure to communicate and coordinate had less to
do with a defect of sandbox technology than a security architecture that was built upon point solutions. Point
solutions, which could not be fully integrated into other vendors’ products, meant that the security operations
center (SOC) required a management console for each product. So, attempts to aggregate threat intelligence data
was difficult and time consuming.

The Second-Generation Sandbox came about to correct the siloed, piecemeal approach. Sandboxes were
equipped with more integration tools or partnered with other product vendors to improve integration. As a result,
they could Share threat intelligence with other security devices, such as Firewalls, Email gateways, Endpoints,
and other Sandbox devices more effectively. The new approach to network security allowed analysts to Correlate
threat intelligence centrally and Respond to threats from a single pane-of-glass. Moreover, an integrated network
security environment could share information to a Threat intelligence service in the cloud, which could be pushed
to other networks.

Today, threat actors are innovating automation and Artificial Intelligence AI techniques to accelerate the creation
of new malware variants and exploits, and to discover security vulnerabilities more quickly, with the goal of
evading and overwhelming current defenses. To keep pace and accelerate detection of these new threats, it is
imperative that AI-learning is added to the sandbox threat analysis process.

AI-driven attacks necessitated a Third-Generation Sandbox based on a Threat analysis standard. Also, it needed
to cover the Expanding attack surface of businesses due to the digital transformation. The digital transformation
refers to the movement of business data, applications, and infrastructure to the cloud.

The challenge of standards-based threat analysis arose due to the struggle to interpret and understand cyber
threat methods, which hampered effective responses. MITRE, a non-profit organization, proposed the ATT&CK
framework that describes standard malware characteristics categorically. Many organizations embraced MITRE

Getting Started in Cybersecurity 1.0 Lesson Scripts 9

Fortinet Technologies Inc.
 Sandbox

ATT&CK as a standard for threat analysis. So, it became necessary for security products to adopt the MITRE
ATT&CK framework. It provided security devices with a common language in which to identify, describe, and
categorize threats, which could be shared with and readily understood by other vendor devices.

Lastly, as more businesses adopt digital transformation, there are new organizations or parts of organizations
exposed to attacks. One such example is the Operational technology (OT) industry, which includes utilities,
manufacturing, oil and gas, and many others. Traditionally, OT kept their operational networks internal and
separate from their corporate business networks, but increasingly OT networks access corporate and third-party
vendor networks. Another example is organizations that offer Applications, Platforms, and Infrastructure as
services in the public cloud—AWS and Azure to name a few. They host applications for other businesses, which
are accessed through the Internet. These new areas require similar protection against zero-day threats to
minimize business disruption and security risks. As a result, sandbox technology evolved to provide wider
coverage to these areas and others as they develop.

The Fortinet sandbox product is named FortiSandbox™ and it embodies all of the latest technologies discussed
here. It integrates with other security products in a collective defence called the Fortinet Security Fabric. A critical
piece of the Security Fabric is FortiGuard® Labs, which brings AI learning and other threat intelligence services to
sandbox technology.

Thank you for your time, and please remember to take the quiz that follows this lesson.

10 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Web Application Firewall

Hello! In this lesson, we will talk about Web application firewalls (WAFs) and how they have evolved over time.
What is a WAF and how does it differ from the traditional edge firewall?

A WAF is an appliance or software that monitors HTTP/HTTPS traffic and can block malicious traffic to and from a
web application. It differs from a traditional edge firewall in that it targets the content from specific web applications
and at the application level, while edge firewalls fashion secure gateways between the local area network and
outside servers at the network level. Specifically, by inspecting HTTP traffic, a WAF can stop attacks originating
from web application security flaws, such as SQL injection, cross-site scripting, file inclusion, and security
misconfigurations. Given that much of our time, both at work and at home, is spent interfacing with web
applications and web servers, the WAF becomes a vital component in our arsenal against bad actors and their
malicious online schemes.

The ancestor of the WAF is the application firewall that was first developed in the 1990s. Although largely a
network-based firewall, it could target some applications or protocols, such as File Transfer Protocol (FTP) and
remote shell (RSH), which is a command line computer program. The debut of the World Wide Web in 1991 was
the big bang of the internet universe, which has been expanding at an accelerated pace ever since. The very
accessibility and openness of the internet permitted anyone to search and explore, but it also permitted bad actors
to use it for their own sordid purposes.

As more people and organizations became victim to espionage, theft, and other crimes, developing a defense
against HTTP-based cyberattacks became a foremost priority. WAF couldn’t rely on traditional edge firewall
methods that based decisions on a blocklist of network addresses, and blocked certain protocols and port
numbers. As all web applications used HTTP and either port 80 or 443, this approach wasn’t very useful.

Let’s look at a common attack method called SQL injection. Imagine you run an online business and customers
and partners log onto your site to buy products and services. A typical login page asks for a user ID and password.
An individual, let’s call him John Smith, types his user ID—jsmith—and his password. This information is verified
on a backend database. If the password is true, John Smith gets in, but if the password is false, he does not. Now,
a bad actor probably doesn’t know John’s password. He could always guess, but that might take a very long time.
Instead, for the password, the bad actor types “abc123 or 2+2=4”. When John’s credentials are sent back to the
database for verification, it is likely that the password “abc123” is false; however, the expression 2+2=4 is true.
Due to this flaw, the bad actor was able to break in to some sites. The first generation of WAFs used blocklists and
signature-based HTTP attributes to alert the firewall of an attack, so a SQL injection attack, like this, was no longer
successful.

With internet popularity soaring, soon the sheer number of web applications and their growing complexity made
the signature-based approach obsolete. As well, the number of false positives—alerts of attacks that were in fact
legitimate connections—grew to proportions beyond the capacity of IT security teams. In the next generation,
WAFs became more intelligent—there was an element of learning by the firewall. The WAF would learn the
behavior of the application to create a baseline it could use to evaluate whether attempts to access the
applications were normal or irregular, and therefore suspect. It also introduced session monitoring and heuristics,
which permitted the firewall to detect variants of known signatures. This was a step forward, but because
application learning was overseen by IT security, defence could not keep up with the ever-expanding number of
mutations of existing methods or new exploits. Moreover, there was no defence against zero-day exploits, which
exploited an unknown weakness in the code of an application.

The logical turn in WAF development was machine-learning unencumbered by human supervision. Now
behaviour analysis could be done at machine speed and could adapt to the ever changing attributes of the threat.

Getting Started in Cybersecurity 1.0 Lesson Scripts 11

Fortinet Technologies Inc.
 Web Application Firewall

Other security features were augmented to the firewall. Among these assets were distributed denial of service
(DDoS) defense, IP reputation, antivirus, and data loss prevention (DLP). The firewall could stop any action that
violated acceptable HTTP behavior. It could identify the user and correlate the action they were attempting to do
with their permissions, and stop any action that went beyond the scope of their role. The WAF was also designed
to share information and collaborate with other security devices in the network, such as other firewalls and
sandboxes. This served to integrate the firewall into an interlocking collective defence as opposed to working
independently. And sandboxing allowed suspicious material to be tested safely in isolation from the network.
Zero-day attacks could be exposed and quarantined in these sandbox environments, and their signatures could
be shared with other devices in the network. In addition, these new discoveries could be uploaded to a threat
intelligence center on the internet, where they could be communicated to other networks.

Fortinet has a WAF named FortiWeb™. FortiWeb™ can be integrated with FortiGate® and FortiSandbox™.
FortiGuard® Labs is Fortinet’s threat intelligence center, which can provide vital updates to FortiWeb™ and to
other Fortinet Security Fabric products.

Thank you for your time, and please remember to take the quiz that follows this lesson.

12 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Secure Email Gateway

Hello! In this lesson, we will explain what secure email gateway is and how it has evolved.

Email was one of the first activities people did when the world went online in the 1990s. It took very little bandwidth
because technology allowed for very little. It was also easy, fast, and didn’t even cost a postage stamp! It was so
easy and inexpensive that it became a means to get a message to many people at little or no cost.

Some of those mass mailings came from legitimate businesses and were equivalent to advertising flyers sent by
post, but other mass mailings were sent by more nefarious characters. This was the beginning of spam—the act of
sending irrelevant and unsolicited messages on the internet to a large number of recipients.

Individuals could send and receive messages with little verification or accountability. Therefore, they offered
anonymity. Initially, people viewed spam more as a nuisance than a threat. But in 1996, America Online (AOL)
coined the term phishing to describe the fraudulent practice of sending emails purporting to be from a reputable
source, in order to induce individuals to reveal personal information.

For example, some of you may have met Prince Solomon of Abadodo, or another wily character, who wanted to
share their wealth with you. Other bad actors registered domain names that were strikingly close to the names of
legitimate businesses or organizations and masqueraded as that business in an email, coaxing you to click a link
or an attachment that contained malware.

The phishing technique relied on human naivety, carelessness, or distraction for it to work. One of the first
responses from businesses was to educate employees about phishing tactics. However, while education may
have reduced phishing exploits, it did not eliminate the threat. Something had to be done at the mail server and
Internet Service Provider (ISP) levels. In response, businesses installed spam filters on mail servers to stop spam
and phishing emails.

Spam filters rely on identifying specific words or patterns in the headers or bodies of messages. To use a simple
example, the word cash is common to email spam. If an IT professional added the word cash to the spam filter on
their company mail server, the filter would eliminate any email that contained that word.

ISPs also deployed spam filters. In addition to filtering, ISPs turned to strengthening authentication methods. By
the end of the first decade of the twenty-first century, ISPs began to implement Sender Policy Framework (SPF),
which slowly took shape during that decade but wasn’t proposed as a standard until 2014.

SPF is an email authentication method that detects bogus sender addresses and emails.

However, for every defensive measure implemented by legitimate businesses, organizations, and ISPs, the bad
actors introduced a countermeasure that circumvented the latest defense.

To return to our simple example, spammers could easily bypass our filtered word, cash, by rendering it as c@sh or
some other variant. And while filters became more sophisticated in detecting spam patterns, they were too static
and easy to outsmart.

Spamming and phishing are just too lucrative for the bad actors to easily give up. In fact, the number of phishing
attacks has grown enormously since the turn of the century. In 2004, 176 unique phishing attacks were recorded.
By 2012, this number grew to 28,000. And no wonder; phishing was lucrative. Between lost money and damages,
the attacks caused a $500 million loss to businesses and individuals. More recently, during the first quarter of
2020, the Anti-Phishing Working Group (APWG) recorded 165,772 detected phishing sites.

Better defense was needed. Secure email gateways (SEG s) arose to provide more rigorous defense. In addition
to the spam filter, SEGs added antivirus scanners, threat emulation, and sandboxing to detect malicious

Getting Started in Cybersecurity 1.0 Lesson Scripts 13

Fortinet Technologies Inc.
 Secure Email Gateway

attachments and links in real time. Even if employee education and the spam filter failed, one of these other tools
could detect and neutralize the threat. However, the number of false positives, and the sheer volume of attacks,
overwhelmed the security teams, who became bogged down in manual remediation.

SEGs continue to evolve as threats evolve.

Today, greater automation and machine learning is built in to SEGs, which alleviates the demands placed on
security operations centers (SOCs). Data loss prevention (DLP) is also available to detect and stop the egress of
sensitive data.

In some cases, a SEG is integrated with other network security devices, such as edge and segmentation firewalls.
These devices collectively form an integrated fabric of security that security professionals can centrally manage
from a single pane of glass, and continually update using threat intelligence, as new methods and contagions
become known.

Fortinet has a SEG, called FortiMail®. FortiMail® includes all of the features discussed here, plus it integrates with
firewalls and sandboxing solutions. You can centrally manage all of these devices using FortiManager®, and
update their threat intelligence using FortiGuard® Labs, which is the global threat intelligence and research center
at Fortinet.

Thank you for your time, and please remember to take the quiz that follows this lesson.

14 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Content Filters

Welcome to the Content Filters lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives.

Content filtering is a process to screen or restrict access to objectionable emails, webpages, executables and
other suspicious items. It is a common security measure that is often built into internet firewalls and blocks content
that contains harmful, illegal, or inappropriate information. For example, parents often use web filtering to protect
their children from improper or graphic material.

Content filters are used in different ways to block access to different types of materials. The common types of
content filters include search engine filters, email filters, DNS-base content filters, and web filters. Click the
different tabs to learn more about each type.

Search engine filters rate web content according to its text and images. Text and images hold a specific weight,
which is measured against a classification set. The weights vary based on whether the classification level is set to
off, moderate, or strict. Machine learning helps define the weights to avoid possible false positives. Depending on
the resulting value and the size of the document, the content can then be classified as safe, moderate,
inappropriate, or rejected from a strict point of view. The search engine result will then display contents if they
meet the level of classification set.

Email content filters check the header of incoming mails against real-time blackhole lists. The raw data of the body
is scanned for inappropriate content, providing a spam confidence level that is similar to search engine weights.
Email content filters also check attachments, identify keywords or potential unauthorized types of files, like
executables, and complete the email content filtering. This enables users to block, quarantine, or reject malicious
emails, including phishing, while accepting appropriate incoming emails.

Click the icons for more information.

DNS-based content filters check the website during the resolution of the domain through DNS servers using
blocklists. If the website is not allowed, the browser is redirected to a replacement message announcing that the
page is blocked. Alternatively, a company can define an allowlist, including all company approved websites. DNS-
based content filtering would then block all other websites.

Web filters are similar to DNS-based content filters with an additional function that categorizes websites. For
example, a requirement for schools in the United States is to adhere to the Children’s Internet Protection Act
(CIPA), a bill that addresses concerns about children’s access to obscene or harmful content over the internet,
such as pornography. Therefore, elementary and high schools use web filters to block material deemed harmful to
minors. All websites and their contents are rated through machine learning, so that the access to a specific URL is
allowed or blocked according to its category and the user’s profile.

Content filters allow organizations to block access to sites known to carry malware, protecting their data and users
from malicious activity.

Content filters also can identify phishing or an exploit kit, blocking the access before it triggers a malicious
download. This is important while cyber criminals increasingly develop new, more sophisticated ways to illegally
access network and steal data.

Limiting user’s access to only specific work-related internet can increase the bandwidth efficiency and enable
faster connections for all employees.

Getting Started in Cybersecurity 1.0 Lesson Scripts 15

Fortinet Technologies Inc.
 Content Filters

Organizations can use web filtering on web sites like social media and online shopping to increase staff
productivity.

Click the underlined terms for more information.

You have completed the lesson.

16 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Wi-Fi

Hello! In this lesson, you will learn about Wi-Fi and the security implications of wireless networks.

Wi-Fi is a technology for wireless, local area networking of devices based on the IEEE 802.11 standards. It started
small, intended mostly for industrial use, and has grown to be the most common way that all our personal
electronic devices connect at home or at the office.

The development of Wi-Fi leveraged many of the same protocols and technology as Ethernet, with one very large
difference. All transmissions are happening over the air; meaning that, much like a verbal conversation, anyone
listening can hear what is being said.

Originally the authentication and privacy mechanisms for Wi-Fi were very weak . The standard had a simple
option to provide encryption called Wired Equivalent Privacy or WEP. WEP used a key to encrypt traffic using the
RC4 keystream. However, someone could compromise WEP fairly quickly if they had the right tools and a
reasonably powerful machine. The word went out, Wi-Fi was insecure, and the technology, which was just starting
to grow, had serious problems.

Stakeholders gathered with IEEE and the Wi-Fi Alliance to produce Wi-Fi Protected Access (WPA). It added extra
security features, but retained the RC4 algorithm, which made it easy for users to upgrade their older devices.
However, it still didn’t solve the fundamental security problem.

A new standard, based on the Advanced Encryption Standard, or AES, algorithm from the National Institute of
Standards and Technology (NIST), was also introduced as Wi-Fi Protected Access 2 (WPA2). This was a lot more
secure than WEP. In addition, new enterprise-grade authentication was added to the technology, creating two
flavors of each security style. The personal level of security continued to use a shared passphrase for network
authentication and key exchange. The enterprise level of security used 802.1x authentication mechanisms,
similar to those used on wired networks, to authenticate a user and set up encryption. However, poorly chosen or
weak passphrases could still leave networks vulnerable.

Released in 2018, Wi-Fi Protected Access 3 (WPA3) introduced a new, more secure handshake for making
connections, an easier method for adding devices to the network, increased key sizes, and other security
features.

It might seem like that’s it, wireless is now secure, and there’s nothing to worry about. Unfortunately, that is not the
case. Hackers have found several ways to exploit human behavior and still get access to the information they
want.

Free Wi-Fi Available, is a sign we all look for when in public, yet it comes with risks. Hackers set up access points
(APs) to act as honeypots in public areas. The unsuspecting people who connect to these so-called free networks,
don’t realize that the hacker has access to everything they are doing online. For example, if you input your account
credentials and credit card information, they can get it. Be wary, even if a network name seems legit.

In addition, our handheld devices remember networks we’ve attached to in the past. In an effort to help us, they
automatically look for and attach to that network again when they see it. This means that a hacker can hear your
phone looking for the legitimate hotel Wi-Fi you connected to last year, set up a fake AP broadcasting that network
name, and trick your device into connecting. Unless you notice that your device is now connected to Wi-Fi, you
may pass data through the fake AP, again exposing everything you’re doing.

You’re not just exposed when you’re away from home. Many people set up their network at home, but never turn
on security. Or if they did, they set it long ago, possibly using WEP or WPA, and never updated to a stronger
passphrase. Newer firmware for home wireless routers now offers additional features, such as WPA3 or visibility

Getting Started in Cybersecurity 1.0 Lesson Scripts 17

Fortinet Technologies Inc.
 Wi-Fi

into the devices on their network. It’s a good idea to keep your security up to date, and pick passphrases that are
complex and hard to guess. At the very least, change the service set identifier, or SSID, and admin default
username and password! Also, keep an eye on your home network and make sure you recognize the devices that
are accessing it. If a hacker gets onto the network, they have access to everything on that network. At that point
it’s no longer a question of reading the wireless traffic you’re sending, it’s about what devices they can
compromise and what data they can get from those devices.

The challenges associated with enterprise class Wi-Fi continue to grow. With IoT, BYOD, and a highly mobile
workforce, it’s critical to manage access points while also dealing with evolving security threats, be it at the
corporate office, remote office, or in your home.

Fortinet offers a wireless product named FortiAP™. It supports the latest Wi-Fi technologies, and integrates with,
and is managed by FortiGate®, a next-generation firewall.

Thank you for your time, and please remember to take the quiz that follows this lesson.

18 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Endpoint Hardening Techniques

Welcome to the Endpoint Hardening Techniques lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives.

With the spread of Internet of Things, or IoT, devices, the number of endpoints that need to be secured has
increased exponentially. Fortunately, there are many strategies and policies that you use to secure not only
traditional client and server endpoints, but the newer network connected devices that have proliferated across all
aspects of life. Many of these techniques are geared toward companies and enterprise networks, but you can also
use them in your personal and home environments. Remember that one of the greatest threats caused by the
spread of endpoints is that of an unsecured device allowing unauthorized access to a network that can be
exploited to gather information or compromise other devices.

Hardening endpoints can be broken down into several categories. The first category is using administrative
controls to enforce secure passwords and restrict user and network access using the principle of least privilege
(PoLP).

The second is hardening the local endpoint protection through a combination of operating system security, boot
management, local disk encryption, and data loss prevention (DLP) techniques.

The third is appropriate endpoint maintenance to ensure all devices are patched and updated regularly, have
regular policy checkups and have accurate, maintained backups for easy recovery.

The fourth is the monitoring of endpoint devices, which can be done locally through an endpoint protection
platform (EPP) client if available, or over the networks the devices are connected to using specialized network
intrusion detections systems (IDS). It is also possible to implement endpoint detection and response (EDR)
platforms that can preemptively block new, undiscovered attacks and take immediate action against suspicious
files and programs.

This lesson covers the first three topics.

The simplest way to harden and protect your endpoints and IoT devices is to ensure that the device has a secure
password. This is especially important in household IoT devices, which regularly ship with a default password that
the user is not required to change on installation. Tracking down and enforcing secure passwords on all
connected devices is a simple first step that can help reduce your overall risk. A common first attack strategy is to
scan a network for devices and attempt to log in and gain access to a local device using default passwords.

Another important step in securing endpoints is to ensure that users, especially administrators, have access to
only the permissions they need to perform their duties. Many endpoints, even basic IoT devices, grant users the
ability to create administrative roles and permissions sets. This allows the creation of authenticated roles that
allow users and administrators access to only the features they need on a device. This prevents a weak password
or social engineering attack from granting an attacker access to more permissions by accident.

If an attacker gains access to an account with restricted access, it will be much less damaging than if an attacker
gains full administrative access because the device is using the default administrative role. The enforcement of
permissions based on need is called the principle of least privilege, or PoLP, and is a good rule to follow when
defining any security policy, whether for endpoints, authentication, or file access.

Getting Started in Cybersecurity 1.0 Lesson Scripts 19

Fortinet Technologies Inc.
 Endpoint Hardening Techniques

For simpler endpoints that can’t restrict user or administrative access, consider locking down access with very
secure passwords or two-factor authentication, or restricting which IP addresses can access the device using
another device, such as a router or firewall.

Thorough defense is very important when hardening endpoints. If there are multiple layers of security, it is more
difficult to compromise an endpoint and use it to further attack a network. Remember, a network is only as secure
as its most vulnerable endpoint, so having a broader, top-down view when designing and enforcing security can
be a great help in determining policies for a network, even if they cannot be applied equally to all devices.

A frequently overlooked area in endpoint security is the hardening of endpoint firmware and boot processes. Most
security practices focus on securing devices when they are running and connected to the network. However,
threats that attack the firmware and boot processes of endpoint devices have been emerging. Hardening firmware
and boot processes is especially important for IoT devices, which lack many of the built-in protections that more
traditional desktops, laptops, and servers have integrated over the years to protect against malicious firmware
compromise.

Physically securing devices so that attackers do not have physical access is extremely important. It is much easier
to compromise a traditional computer system if you have physical access because many devices have an
administrator account reset procedure that requires only physical access to the device. Locking down the basic
input/output system (BIOS) and other boot-time systems can prevent these types of attacks from being
successful.

Firmware is the software that usually run from a chip on the endpoint. This software is responsible for detecting
and reporting hardware connected to the device. After the firmware performs all the hardware checks, it assists in
loading the operating system.

Modern computers usually use either the legacy basic input output system (BIOS) or the newer unified extensible
firmware interface (UEFI). Both perform similar functions, but UEFI is much newer and usually incorporates a
graphical interface and more robust security features.

Understanding how your network endpoints load their operating systems and how to secure any potential
compromise is important for preventing firmware malware attacks, where code is inserted into the firmware that
can cause endpoints to load malicious software or whole new operating systems that can then be used to
compromise other devices. Restricting firmware so that it loads only approved software is one of the most
important new features of UEFI over BIOS.

Choosing an OS is not a luxury security administrators usually have, but, if possible, it is always a good idea to
select and use an OS that is easy to manage and secure. Many OSs now have built-in security features that make
it easier to manage and enforce security policies. In addition, many network security devices can now allow
access based on OS type. Having a fixed list of trusted OSs can help you enforce overall network security by
allowing only known OS types and versions to access your networks. That way, if a firmware attack compromises
a device, which then attempts to connect to the network with an unknown OS, other security devices can deny the
access.

While BIOS and UEFI are specific to traditional computers and laptops, most endpoints use some sort of
bootloader and firmware to secure and load the OS. Understanding and ensuring these systems are locked down
is a fundamental step in endpoint security.

One of the major advantages of using laptops and cell phones for work is that they are portable. One frequent
concern about these devices is data security. If a laptop is stolen and the data is not encrypted, it is very easy for
the thief to extract useful information. In addition to being harmful to the individual, an unencrypted corporate
laptop can contain a wealth of useful information about the corporate security posture. Just viewing browsing
history and cached DNS queries on a computer can reveal sensitive network information and security procedures.

20 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Endpoint Hardening Techniques

Fully securing and encrypting endpoints is a critical aspect of cybersecurity, especially for high-risk devices that
may contain a great deal of sensitive information.

The most common way to secure these devices is to use full disk encryption, or FDE. FDE is a software-based
solution where the disk is encrypted by the OS. On boot time, the UEFI loads the decrypting information from the
OS. The cryptographic keys are usually stored in a trusted platform module (TPM) and protected by a password or
other authentication method. After the keys are accessed, the disk can be decrypted, and the OS can be loaded
normally. Because the entire disk is encrypted, if it is stolen, no useful information can be retrieved except by
attempting to brute force the drive encryption, which is very costly.

Another way to implement full disk encryption is to use a self-encrypting drive, or SED. An SED is a hard drive with
a built-in module that automatically handles the encryption and decryption of the contents of the hard drive using
instructions from the firmware and OS. Using an SED pushes the cryptographic effort onto the built-in module in
the hard drive, rather than the device CPU and software.

A final way to protect data on an endpoint is to use DLP software. This can detect if someone is trying to copy
sensitive information from a device or send it over the network. DLP can block or log the transaction for security.
Another common use of DLP is to prevent or limit the use of attachable drives, like USB flash drives or external
hard drives, to prevent the copying of large amounts of data. DLP can also be network based, where devices
inspect network traffic to alert administrators to keywords or other sensitive information being transmitted over
networks.

Many modern devices like smartphones automatically use full disk encryption, but on some devices, this may be
an option that is disabled by default. Always check if disk encryption and DLP is available on endpoints, especially
IoT devices that may not have these features enabled by default.

In any environment, it is extremely important for administrators to be able to update, patch, and back up all
connected endpoints. The difficulty of maintaining reliable patching and backup schedules is usually related to the
sheer number of different devices and procedures required to perform updates and backups. Having a
standardized desktop, laptop, server, and smartphone model and manufacturer for a company can greatly
simplify the task of patch and update maintenance. However, this is not always viable because of the need to
support critical legacy equipment, and the rise of bring your own device, or BYOD, in work environments.

Keeping patches up-to-date is critical because identifying and closing potential vulnerabilities is a key step in
preventing a large-scale cybersecurity attack. Updating OSs, firmware, and vulnerable software programs and
applications is a simple and effective way to reduce overall risk. While necessarily effective in preventing zero-day
attacks, having a fully patched and updated system can also help slow down and restrict the compromising of
systems using common, well-established malware and attack vectors. If your endpoint and network infrastructure
is up-to-date and healthy, a new, unknown attack method may be able to compromise a system, but further
infiltration may be hindered because no other tools in an attacker’s toolkit will be effective in pivoting to other
systems or collecting and exfiltrating data.

In addition to maintaining, patching and updating software, having a comprehensive backup solution for critical
endpoints can greatly assist in recovering from cyberattacks or accidents. You should back up critical endpoint
devices, like smartphones, laptops, servers, and databases frequently. If a device is compromised, you can then
collect forensic information and easily restore the device to the latest “clean” copy, with as little disruption as
possible.

Backing up IoT devices, like security cameras or smart locks, depends heavily on the manufacturer, and many
such devices do not have backup capability. In this case, having backup equipment that you can configure easily
to replace damaged, stolen, or compromised devices should be part of a comprehensive disaster recovery plan.
Having a regular backup schedule for all your devices, from computers to cameras, is one of the most effective
ways to mitigate a ransomware attack. If you have a current backup of your critical data, it is much easier to
restore and recover endpoints affected by ransomware.

Getting Started in Cybersecurity 1.0 Lesson Scripts 21

Fortinet Technologies Inc.
 Endpoint Hardening Techniques

You have completed the lesson.

22 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Endpoint Monitoring

Welcome to the Endpoint Monitoring lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives.

The process of hardening endpoints is broken into several categories. This lesson focuses on the fourth category,
endpoint monitoring.

This section includes the monitoring of endpoint devices, both locally through an endpoint protection platform
(EPP) client if available, or over the networks the devices are connected to using specialized network intrusion
detections systems (IDS). It is also possible to implement endpoint detection and response (EDR) platforms that
can preemptively block new, undiscovered attacks and take immediate action against suspicious files and
programs.

To help in the administration of modern endpoints, many companies have created endpoint solutions to help
manage and protect various types of endpoints from cyberthreats. Most endpoint solutions support servers,
desktops, laptops, and smartphones, with additional plugins and support for the proliferation of the new, unknown,
and IoT devices.

The first endpoint security solution is the endpoint protection platform, or EPP. This developed from the need of
administrators to ensure servers and desktops are patched and have the appropriate antivirus software installed.
Modern EPP platforms can verify versions of software and firmware, scan the local system for viruses and
malware, and enforce data loss prevention and other company-defined security policies. EPP is usually viewed as
a defensive measure against malicious attacks, and helps administrators maintain uniform software updates
across the enterprise. EPP can also allow basic monitoring and visibility into systems to help administrators
identify out-of-date devices, and remotely patch and install software on devices.

Another endpoint solution is endpoint detection and response, or EDR. This is a more proactive security solution
that constantly scans a device to detect indicators of compromise, or IOC. If the EDR client detects a suspicious
connection, program, or behavior, it can block the action and send an alert. This can help identify and stop threats
like ransomware and zero-day attacks that may not have an established signature that would be detected by
traditional anti-malware systems.

EDR usually leverages artificial intelligence and large comprehensive databases of known attacks to predict and
recognize suspicious files and programs. In addition to detection and immediate response, EDR can trigger alerts
to other connected endpoints and allow other endpoints to immediately block the suspicious program or file, even
before it can be opened or executed, providing an immediate response against zero-day and other previously
unidentified attacks. EDR systems can also have tools to help security investigators gather data on new threats,
and quarantine systems that are suspected of compromise.

Both EPP and EDR solutions usually provide monitoring resources to allow security administrators to have top-
down visibility on the health of their endpoints, and allow a quick response in case of potential attacks or outages.
These are usually a key component in monitoring by a security operations center, or SOC. In addition, many EDR
solutions allow an immediate response by automating the process to either lock down devices, or execute
operations in response to a threat detected by other parts of the network. For example, a security analyst can
publish an updated malware detection rule based on a common vulnerability and exposure (CVE) alert to plug a
potential security risk before a patch can be made available by the device manufacturer.

Getting Started in Cybersecurity 1.0 Lesson Scripts 23

Fortinet Technologies Inc.
 Endpoint Monitoring

One of the largest challenges in securing new devices is how to connect them to established networks securely.
Many companies now allow employees to use BYOD computers and phones (Bring your own device). Because
these devices are usually not well-known and not managed by the company, allowing them to connect directly to a
corporate network is a large risk.

Having monitoring software and detection in place to identify and isolate unknown devices is a critical step in
properly onboarding and securing these devices. If possible, force all new and unknown devices onto an isolated
network until they can be secured and registered. You can use a physically separate network, VLAN, or a
dedicated Wi-Fi access point to accomplish this. Once a device is registered, usually by hostname, serial number,
MAC address, or static IP address, appropriate monitoring software can be installed, and the device moved to a
production environment as a known endpoint.

With hard-to-secure devices and unknown endpoints, you should enforce the principle of least privilege. If these
devices need access only to a specific internet or internal server, isolate them on a unique network and allow only
that specific connection through firewalls and routers. That way, if the device does not meet network compliance
because they are not running an appropriate endpoint security solution, it has as limited access to other resources
as possible.

Once all known devices are registered, you can configure many network security devices, such as wireless
access points, switches, routers, firewalls, and other connectivity points to lock down and not allow unauthorized
devices to connect through the network. Disabling devices that are not monitored forces users with unknown
devices to register and prevents attackers from attempting to insert their own devices onto the network remotely or
by attempting to physically plug in a device locally.

You have completed this lesson.

24 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
SOAR

Hello. In this lesson we will take a look at Security Orchestration, Automation and Response (SOAR). SOAR is a
hot term in the security industry, so it's important to not only know what it is but to be familiar with the problems and
challenges that are addressed by SOAR. But before we get to that, let's first examine the basics.

What is SOAR? SOAR connects all of the other tools in your security stack together into defined workflows, which
can be run automatically. In other words, SOAR lets you increase your team's efficiency by automating repetitive
manual processes.

Automation is very important in today’s security world because security teams are overwhelmed. As new tools are
developed to address an evolving threat landscape, the analysts using those tools have to switch between them in
order to accomplish their day-to-day tasks.

One common day-to-day task is responding to alerts. With more security tools comes more alerts, which are
addressed in a series of manual processes and context switches—that is switching from one tool to another. More
alerts to respond to each day means that you have less time to spend on each alert, which increases the likelihood
of mistakes being made. Performance degradation in the face of a flood of alerts is called alert fatigue.

One obvious way to mitigate alert fatigue is simply to hire more analysts. However, thanks to a cyber-security
skills shortage, there simply aren't enough qualified analysts to hire. So if hiring more analysts is not an option,
how do we solve alert fatigue? Simple, with SOAR.

As mentioned, SOAR ties together the tools in your security stack. By pulling data in from all of these sources,
SOAR reduces context switching that analysts have to deal with. So, analysts can perform all of their usual
investigative processes directly from the source interface. Further, those processes can be manually or
automatically translated into a playbook, which is a flowchart-like set of steps that can be repeated on demand. By
using a playbook, you can ensure that every step in your standard operating procedure is followed. You also have
data on exactly what was done, when, and by whom. This capability is called orchestration and automation.

Investigation is another crucial SOAR capability. When a suspicious alert appears, teams can perform their
investigative tasks, such as checking threat intelligence sources for a reputation or querying a security information
management system (SIM), for related events from within the SOAR platform. The information gleaned from this
investigation will determine the required mitigation steps. Then, because SOAR is a unified workbench of all your
security tools, you can take those mitigation steps from within SOAR as well. For example, from within SOAR you
can block traffic from a malicious IP address in your firewall or delete a phishing email from your email server. By
building your standard processes into playbooks, you can replace repetitive, time-consuming manual processes
with automation at machine speed. Automation frees analysts to devote more time to investigating critical alerts.

Implementing SOAR into your ecosystem does more than just centralize your incident response processes—it
optimizes an entire operation. Optimization results in streamlined responses at machine speed, allowing teams to
improve collaboration and better manage the never-ending wave of alerts. This is because SOAR allows users to
assign alerts to different analysts or teams at different stages of the response process, and for those assigned
users to add information to the alert as they work on it, so that others who reference that alert later will have
additional context on the investigation.

Let’s explain playbooks in more detail. Teams use playbooks, sometimes called workflows, as a way to respond to
alerts or incidents the same way every time. Playbooks work in unison with security teams by taking the steps an
analyst would typically implement when responding to an incident. Playbooks do the repetitive tasks, such as
compiling data into a report or sending emails, and can pause when human oversight is needed, such as to
implement a firewall block. Playbooks are the key to the automation capability of SOAR, allowing teams to

Getting Started in Cybersecurity 1.0 Lesson Scripts 25

Fortinet Technologies Inc.
 SOAR

improve their response speed and consistency, while maintaining human authority over the process. Ultimately,
using a playbook can lead to reduced analyst workload and reduced chance of error.

Phishing investigations are one of the most common use cases for SOAR implemented by customers. Without
SOAR, an analyst will spend time investigating the sender of a phishing email and key indicators located within the
email headers or body. Performing these investigations usually means time spent entering domains and URLs
into a threat intelligence platform. If analysts determine that an email is harmful, they will need to spend additional
time investigating their email server and their SIM, determining who received the email, determining who clicked
on it, deleting it, and so on. With a phishing investigation playbook, the initial investigation steps are taken
automatically, as soon as the phishing email is reported. This way, the analysts will be alerted to only those emails
that the playbook determines are suspicious. After the analyst confirms that a reported email warrants further
action, the playbook can continue making additional SIM queries, deleting the email from all user inboxes, sending
an email to all recipients alerting them of the action taken, and providing helpful tips on what to do if they receive
similar phishing messages in the future.

So there you have it—a primer on SOAR—what it is, what problems it addresses, and how it helps. The Fortinet
SOAR product is named FortiSOAR™ and encompasses all of these features and more.

Thank you for your time. And don't forget to take the quiz!

26 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
SIEM

Hello! In this lesson, we will explain what security information and event management (SIEM) is, and how it has
evolved over time.

Introduced in 2005, SIEM analyzes security alerts in real-time. Fundamentally, SIEMs do three things:

One: Collect, normalize, and store log events and alerts from the organization’s network and security devices,
servers, databases, applications, and endpoints in a secure, central location. SIEM collects information not only
from physical devices, but also virtual devices both on-premises and in the cloud. Investigators had determined
that logging in to every system to check for relevant log events was increasingly impossible. Also, if your logs were
not secure, you had no guarantee that an attacker hadn’t just deleted the entries to hide their activities.

Two: Run advanced analytics on the data, both in real-time and across historical data, to identify potential security
incidents that should be investigated by a human. The potential incidents are prioritized by risk, severity, and
impact. Over time, these security analytics have grown from employing simple cross-correlation rules to
monitoring for user-behavioral anomalies, watching for known indicators of compromise (IoC), and applying
sophisticated machine learning models.

Three: Prove that all of the security controls under the purview of the SIEM are in place and effective. While
maintaining security for its own sake should drive security requirements and appropriate level of investment, in
reality, for many organizations, the primary driver for purchasing SIEM has been regulatory compliance.

The first two decades of the twenty-first century has seen a deluge of new compliance requirements, both
legislative and industry sponsored. Some examples are the Payment Card Industry (PCI) standard, the Sarbanes-
Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), and the General Data
Protection Regulation (GDPR) in 2018. Businesses, hospitals, and other organizations ignore compliance at their
peril, and violators can incur punitive fines.

As cyberattacks became more sophisticated and stealthy, demands for information about a cyberattack—its
characteristics, purpose, and the extent of network penetration—grew more urgent. Another alarming fact was
that security teams very often did not discover breaches until many months after they had occurred, and then it
was more often discovered by a third-party than by internal security. IT security needed a holistic picture of
network activity, and the real-time data collected by SIEM filled this need. In the second stage of development,
SIEM vendors added threat detection capabilities with built-in threat intelligence, historical and real-time analytics,
and user and entity behavior analytics (UEBA). And more recently, machine learning has become a part of SIEM’s
tool set, and is particularly needed when sifting through big data.

Another issue that hindered SIEM’s greater acceptance by organizations was the effort involved to set up,
integrate, and use it. The technology was complex and difficult to tune, it was difficult to identify attacks, and it
demanded a high-level of skill on the part of the user to know what they were looking for. For all its capabilities,
SIEM was not a set it and forget it technology. This situation was exacerbated by two other facts. One, IT security
suffers from an insufficient number of qualified professionals, and two, the siloed approach used in typical network
operations centers (NOCs) and security operations centers (SOCs ) increases complexity and causes a lack of
network visibility. An environment composed of multivendor, single-point solutions with different operating
systems, patch cycles, protocols, and logic, worked counter to interoperability and simplification. The result was
greater demand on sparse IT resources, increased chance of human error, and reduced network security visibility.
So while SIEM made great strides moving from an information platform to a threat intelligence center, it remained
hamstrung by both external and internal limitations.

Getting Started in Cybersecurity 1.0 Lesson Scripts 27

Fortinet Technologies Inc.
 SIEM

The systemic shortage of trained personnel was the impetus for more automation and machine learning in later
SIEM devices. Artificial Intelligence more quickly detects trends and patterns in enormous payloads of data than
even the cleverest human can. Moreover, time and accuracy are gained by configuring SIEM to automatically
respond and remediate. Recent developments in SIEM have also integrated NOC and SOC, thereby establishing
SIEM as the nerve center of all network and security operations. So, from a single pane of glass, IT security gains
visibility into the entire network. SIEM simplifies deployment and integration by way of a self-learning, real-time,
asset discovery, and device configuration engine. This tool establishes an inventory of network devices,
applications, users, and business services. It then builds a topology showing how each object is interconnected,
thereby establishing a baseline of normal network behavior. By determining normalcy, and with the aid of machine
learning, abnormal behavior can alert analysts of a cyberattack, which can then be stopped before a breach
occurs.

Within a couple of decades, SIEM has evolved from an information platform, to a threat intelligence center, to a
fully integrated and automated center for security and network operations.

The Fortinet SIEM product is named FortiSIEM™ and encompasses all of these features, plus others.

Thank you for your time, and please remember to take the quiz that follows this lesson.

28 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Secure SD-WAN

Hello! In this lesson, we'll explain what SD-WAN is and how it has evolved.

SD-WAN stands for software-defined wide-area network, and it leverages the corporate WAN as well as multi-
cloud connectivity to deliver high-speed application performance.

In the past, organizations purchased and operated their own servers to run applications and store critical business
data. As a result, they had upfront capital expenses, and they needed to employ a team of highly trained
technicians to run these servers. While expensive, the competitive advantage it gave over those who didn’t
computerize their businesses, made it worthwhile. One early challenge was to make these servers available to
various geographically-distributed networks, called local area networks or LANs.

You might recall that a WAN is a computer network that spans a large geographic area and typically consists of
two or more LANs. For example, if Acme Corporation spanned multiple cities and continents, each with their own
local area network, how would they connect these LANs so that someone in the London office could connect to a
database server in Singapore? Traditionally, businesses connected theirs LANs by way of a single, dedicated
service provider. Though expensive, they could control and secure this connection while providing access to
critical resources. However, this method had limitations. The single point of connectivity was subject to frequent
outages, which made it unreliable. In addition, because there was an increasing demand to host business
applications in the cloud, known as software as a service (SaaS), higher latency became an issue. SaaS
applications, like Salesforce, Dropbox, and Google Apps, and a greater reliance on video and voice conferencing,
contributed to the congestion. Businesses began to augment their connectivity by employing multiple providers, or
seeking more affordable broadband and other means of internet connectivity. The trend toward increasing hybrid
connections, and the growth of cloud applications to support underlying intelligent business decisions, led to the
first generation of SD-WAN.

Businesses added multiple dedicated carrier links and load-balancing per application traffic, based on how much
bandwidth was available. Although this approach seemed to solve a few bandwidth issues, it added yet another
product to solve another network challenge. These point products escalate complexity to the network
infrastructure. Why? Because adding multiple products from multiple vendors, each of which have separate
management consoles and which often do not fully integrate with other products, becomes a management
nightmare for IT security administrators. Still, the first generation of SD-WAN solved a pressing business need: its
basic load-balancing techniques allowed the network to make application-intelligent business decisions on hybrid
WAN links, including service provider, broadband, and long-term evolution or LTE, which is a standard for
wireless broadband communication for mobile devices and data terminals.

Accurate application identification, visibility into network performance, and reliable switchover of application traffic
between best performing WAN links pivoted SD-WAN as the most sought-after WAN technology across all
businesses.

However, security remained a serious consideration for businesses. Even after SD-WAN adoption, businesses
kept sending all their sensitive and critical application traffic to data centers for security purposes, or were forced
to install a sophisticated firewall solution to inspect their direct internet access. This added another point product
for security, making the network yet more complex, challenging to manage, and delaying cloud adoption.

Businesses needed to address these challenges by integrating security and networking functionalities into a
single, secure SD-WAN appliance. This enabled businesses to replace their multiple point products with a
powerful, single security appliance, at a reduced cost and ease of management. A strong security posture helped
businesses to use cloud applications more affordably, with lower latency, and with a direct internet connection

Getting Started in Cybersecurity 1.0 Lesson Scripts 29

Fortinet Technologies Inc.
 Secure SD-WAN

ensuring optimal application performance and best user experience. Continued network performance health
checks ensured that the best available WAN link was chosen, based on user-defined application service level
agreements. Should a particular link degrade, the SD-WAN device knew to move the connection to the better
performing WAN link.

Today, in secure SD-WAN, intuitive business policy workflows make it easy to configure and manage the
application needs with the flexibility of prioritizing business-critical applications. A centralized management
console provides single, pane-of-glass visibility and telemetry to identify, troubleshoot, and resolve network issues
with minimal IT staff. Comprehensive analytics on bandwidth utilization, application definition, path selection, and
the security threat landscape not only provide visibility into the extended network, but helps administrators to
quickly redesign policies, based on historical statistics, to improve network and application performance.

Overall, positive outcomes of a secure SD-WAN solution are simplification, consolidation, and cost reduction
while providing much needed optimal application performance and best user experience for the enterprise, SaaS,
and Unified Communications as a Service (UCaaS) applications. Run-time analytics and telemetry help
infrastructure teams coordinate and resolve issues in an accelerated manner, which reduces the number of
support tickets and network outages.

Fortinet introduced the term Secure SD-WAN, of which FortiGate® is at the core—the next generation firewall
(NGFW) of Fortinet. In addition to the FortiGate® device, the Secure SD-WAN solution includes other advanced
networking features.

Thank you for your time, and please remember to take the quiz that follows this lesson.

30 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
ZTNA

Welcome to the ZTNA lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives.

What is ZTNA?

ZTNA establishes a secure session between an end entity and a network, while ensuring granular control over
access to resources and exercising zero trust, regardless of the location of either the end entity or the network.

Part of the zero trust principle is the practice of least privilege access. This means that users are only granted
access to the resources necessary to fulfil their job requirements, and no more.

As a network security concept, zero trust operates under the premise that no user or device inside or outside the
network should be trusted, unless their identification and security status have been thoroughly checked. Zero trust
operates on the assumption that threats, both outside and inside the network, are omnipresent. Zero trust also
assumes that every attempt to access a network or an application is a threat.

So, regardless of whether the end entity is remote or on-premises, the connecting computing device automatically
establishes an encrypted session with the network. Specifically, this connection takes place between a ZTNA
client at the end entity and the ZTNA access proxy, which could be a firewall. The proxy point hides the locations
of requested applications from the outside. The proxy directs the client’s request to the application, which could be
on-site or in the cloud, only if the user meets access requirements.

Other ZTNA components are authentication and security. Because the user is identified through authentication
against an on-premises backend server or an Identity-as-a-service (IDaaS), policy can be applied based on the
user roles.

Also, the ZTNA policy server enforces policy-to-control access, specifically to applications. For example, access
could, in part, be based on geolocation. So, if the remote device is connecting from an unexpected point in the
world, access to an application could be denied or privileges reduced.

Likewise, if a device fails a security sanity check, the user could be denied access. Security is composed of
firewalls and the ZTNA access proxy, which control access and provide security to application resources.

Unlike IPsec VPN, but similar to SSL VPN, ZTNA is vendor specific. This means that each vendor can implement
ZTNA in a way that best suits their specific requirements.

The diagram on this slide is the Fortinet ZTNA solution. The Fortinet ZTNA client is FortiClient.

Also in this diagram, FortiClient Endpoint Management Server (EMS) acts as the ZTNA policy server. When an
endpoint device with FortiClient attempts to connect to the network for the first time, it is directed to FortiClient
EMS to register. During the registration process, FortiClient provides the server with information about the device,
the user, and the security posture of the device. This information is written to tags and shared with the firewall,
FortiGate.

Based on the information in the tags, the device can be grouped and certain rules can be applied. The rules act as
instructions for FortiGate. FortiGate applies the rules to the device each time it connects to the network. An
example of a rule could be that a device with Windows 10 plus antivirus software is allowed access, but a device
with Windows 10 and no antivirus software is denied access.

Getting Started in Cybersecurity 1.0 Lesson Scripts 31

Fortinet Technologies Inc.
 ZTNA

At the end of the registration process, FortiClient EMS generates a digital certificate for the device, and sends the
certificate to the device and shares with FortiGate. From this point onward, the device submits the certificate to
FortiGate each time it needs to identify itself.

FortiClient is in continuous communication with FortiClient EMS. If the endpoint information changes, the server
updates the client tags and resynchronizes with FortiGate.

The ongoing communication between these components is called network telemetry, and it provides agile and
dynamic responses to enhance network security.

How does Fortinet ZTNA work?

When the endpoint connects to the ZTNA access proxy, FortiGate challenges the endpoint for device
identification.

The endpoint sends the device certificate to FortiGate, proving the device identity. Then, FortiGate applies the
associated tags and rules and either rejects the request or allows the device to proceed.

FortiGate challenges the endpoint for user authentication.

The endpoint prompts the user for their credentials and delivers the credentials to the access proxy.

In turn, the access proxy sends the user credentials to the backend for authentication.

The authenticating server could be an AD, an LDAP directory, a database, or IDaaS.

The ZTNA access proxy retrieves the user’s identity, along with role information. FortiGate uses the role
information to help determine if the user has permission to access the requested network application.

Finally, assuming that the device and user have been identified, and the devices tags and rules plus the user’s
roles allow access to the resource, an encrypted session is initiated between the ZTNA client and the ZTNA
access proxy, and the user gains access to the application.

You’ve completed the lesson. You can now achieve these objectives.

32 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
Cloud Services Models

Hello! In this lesson, we explore the mysterious “cloud”, what it really is, how it came to be, and some of the
security issues that we encounter there.

First, let’s de-mystify the cloud. It’s amusing that “the cloud” has extremely high public name recognition, but few
understand what it really is.

Before the cloud, organizations purchased their own computer systems to run the application software needed to
run the business. These computer systems were located in the organization’s facilities, and managed by teams of
experts. While not always the case, often there was more than one computer system (or server) per major
application.

This setup was expensive because of the capital cost of the computer hardware and labor cost of the resident
experts who kept it all running; but it was worth it. These systems raised overall productivity and helped maintain
competitive advantage.

Not long ago, someone noticed that of all their computer systems, only a few were completely busy at any given
moment in time. Most were idle, waiting for the next transaction to come in. Bottom line: there were many wasted
resources.

So, a new way of using server hardware was developed called virtualization, which actually comes from old
technology in mainframe computing that lets a single server run the operating systems and applications from
multiple servers simultaneously. The virtualization consolidates workloads onto fewer servers, increasing their
utilization, and saves money.

It wasn’t long until most datacenters were transformed from rows of computer hardware dedicated to specific
applications, into a collection—or pool—of general hardware resources running virtualized applications. It was just
the smart thing to do.

Along comes some ingenious entrepreneurs who build enormous datacenters, filled with generalized computer
hardware, and offer to rent out portions of this infrastructure so that their customers can run their virtualized
applications there, instead of on their own hardware. With that, the cloud is born.

This type of cloud computing is called Infrastructure as a Service or IaaS. IaaS provides organizations with
networking, storage, physical servers, and virtualization, while users must still provide computers with operating
systems, middleware, data, and applications. Middleware is software that acts as a bridge between the OS and
applications. An organization uses this type of service when demand for its services or products varies, such as
during seasonal holidays where workloads on systems increase. Examples of this type of service provider are
Amazon Web Services, Microsoft Azure, and Google Compute Engine.

There are other types of clouds as well. For example, service providers rent cloud-based platforms for software
developers to develop and deliver applications. This service, named Platform as a Service or PaaS, provides the
OS and middleware in addition to the elements provided by IaaS. This service makes it easier, more efficient, and
cheaper for organizations to build, test, and deploy applications.

A third example is Software as a Service or SaaS. In this cloud service, the software is hosted by a third-party.
Typically, the end user connects to the application using their browser. Common examples of applications
available through SaaS are Google Mail, Salesforce, DocuSign, and Netflix.

Either way, moving the cost of having applications run on expensive, company-owned hardware capital assets to
a model where the price is a recurring operating cost is very attractive to most organizations.

Getting Started in Cybersecurity 1.0 Lesson Scripts 33

Fortinet Technologies Inc.
 Cloud Services Models

Now let’s look at what this means to security.

When applications are hosted in a company’s own datacenter, the security picture is straightforward: you put the
appropriate security technology at the right locations to address the specific security concerns.

Providing security for the cloud, however, is not so clear. You could say it’s a bit cloudy. Bottom line: security is a
shared responsibility between the cloud provider and the customer utilizing the cloud services.

Designed in layers, security includes both the physical components and logical components.

The cloud infrastructure provided by IaaS vendors is protected in various ways. From an availability point of view,
the infrastructure is designed by the vendor to be highly available, and it follows that the infrastructure’s uptime is
the responsibility of the vendor. From a security point of view, the vendor is only responsible for securing the
infrastructure it provides.

As a customer, when you install one or more virtualized applications in the vendor’s cloud infrastructure, you are
responsible for securing the access, the network traffic, and the data applications.

Now, most vendors supply some form of security tools so that various parts of the customer’s cloud application
environment can be secured. However, these tools can pose a few problems.

First, these tools tend to provide only a few, basic security functions, and they are the same tools the vendors use
to secure the underlying infrastructure. If an attacker were to bypass these tools at the infrastructure layer, they
would likely be able to bypass them at the customer’s application level as well.

Second, and perhaps more important, is the fact that many organizations operate in a hybrid world where some of
their applications remain hosted in their own datacenters, some in Vendor–A IaaS cloud platform, some in
Vendor–B cloud platform, and various others with multiple SaaS vendors. This is what we call a “Multi-Cloud”
environment, and it comes with a “Multi-Cloud” problem: multiple, independent, uncoordinated security
solutions—a problem where complexity can scale geometrically with the number of cloud vendors involved.

Now, highly trained security staff are scarce to start with. Add to that a burden to integrate and operate multiple
non-integrated security environments simultaneously … it can be a real problem.

At Fortinet, we have security solutions such as FortiGate, FortiMail, FortiWeb, FortiSandbox, FortiInsight, and
others within the Fortinet Security Fabric that are not only at home in a company’s data center, providing the same
consistent security, they are optimized for all the leading IaaS cloud providers.

To wrap up, we’ve shown the fundamentals of how “the cloud” came to be, how cloud environments are secured,
and described Fortinet’s cloud security strategy that scales from simple cloud-only environments to complex multi-
cloud environments.

Thank you for your time, and please remember to take the quiz that follows this lesson.

34 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
SASE

Hello! In this lesson, we will introduce you to Secure Access Service Edge SASE, and explain how it has evolved.

SASE is a technology that combines Network as a Service with Security-as-a-Service capabilities.

SASE is delivered through the cloud as an, as-a-service consumption model, to support secure access for today’s
distributed and hybrid enterprise networks.

Network security is a top priority for most organizations, however new challenges have emerged. Rapid and
disruptive digital innovation has brought on:
l an Expanding thin edge defined by small branch locations that are attached to the core network
l a Growing amount of off-network users accessing the central data center
l a Challenging user experience for off-network users
l an Expanding attack surface
l Multi-level compliance requirements, and
l Increasingly sophisticated cyber threats
As work environments have evolved, so too have user behavior and endpoint protection requirements. Users no
longer access information from a dedicated station within a pre-defined network perimeter confined to a corporate
office. Instead, users access information from a variety of locations, such as in the home, in the air, and from
hotels. They also access that information from different devices, such as desktop workstations, laptops, tablets,
and mobile devices. Adding to this network complexity is the rise of Bring-Your-Own-Device, where users access
enterprise systems through personal devices that are not part of the enterprise infrastructure.

Organizations today require that their users have immediate, continuous secure access to network and cloud-
based resources and data, including business-critical applications, regardless of location, on any device, and at
any time. Organizations must provide this access in a scalable and elastic way that integrates thin edge network
sites and remote users into the central infrastructure, and that favors a lean operational, as-a-service model.

Finding solutions that meet these requirements is challenging,

The reasons for this are clear.

While networks have evolved to support the workflows for remote endpoints and users, many outdated network
security solutions remain inflexible and do not extend beyond the data center to cover the ever-expanding network
perimeter and, therefore, the attack surface. With the advent of new thin edge networks, this challenge is
exacerbated.

Secondly, these solutions to converged networking and security oversight require that all traffic, whether coming
from thin edge locations or off-network users, runs through the core data center for inspection. This results in:
l High cost
l Complexity
l Elevated risk exposure
l Latency and a poor user experience when accessing multi-cloud-based applications and data
Finally, the multi-edge network environment of today has exposed the limitations of VPN-only solutions, which are
unable to support the security, threat detection, and zero-trust network access policy enforcement present at the
corporate on premise network. VPN-only solutions cannot scale to support the growing number of users and
devices, resulting in inconsistent security across all edges.

Getting Started in Cybersecurity 1.0 Lesson Scripts 35

Fortinet Technologies Inc.
 SASE

A new scalable, elastic, and converged solution is required to achieve secure, reliable network access for users
and endpoints. One which addresses the security of many hybrid organizations, defined by systems and users
spread across the corporate, and remote network. That solution is SASE.

A SASE solution provides integrated networking and security capabilities, including:

l Peering, which allows network connection and traffic exchange directly across the internet without having to pay a
third party.
l A Next-Generation Firewall NGFW or cloud-based Firewall-as-a-Service FWaaS , with security capabilities
including Intrusion Prevention System IPS, Anti-Malware, SSL Inspection, and Sandbox,.
l A Secure Web Gateway to protect users and devices from online security threats by filtering malware and enforcing
internet security and compliance policies.
l Zero-Trust Network Access ZTNA , which ensures that no user or device is automatically trusted. Every attempt to
access a system, from either inside or outside, is challenged and verified before granting access. It consists of
multiple technologies, including multi-factor authentication MFA, secure Network Access Control NAC, and access
policy enforcement.
l Data Loss Prevention DLP prevents end-users from moving key information outside the network. These systems
inform content inspection of messaging and email applications operating over the network.
l Domain Name System DNS, which serves as the phone book of the internet and provides SASE with threat
detection capabilities to analyze and assess risky domains.
These services deliver:
l Optimized paths for all users to all clouds to improve performance and agility
l Enterprise-grade certified security for mobile workforces,
l Consistent security for all edges, and
l Consolidated management of security and network operations
Although classified as cloud-based, there are common SASE use cases, which may Require a combination of
physical and cloud-based solutions. For SASE to be effectively deployed in this scenario, secure connectivity with
network access controls must be extended from the physical WAN infrastructure to the cloud edge. For example,
to roll out access to SASE at branch offices, you may see SASE reliant on physical networking appliances, such
as wireless (LTE and 5G), and wired (Ethernet) extenders or Wi-Fi access points.

The goal of SASE is to support the dynamic, secure access needs of today’s organizations. Proper SASE service
allows organizations to extend enterprise-grade security and networking to the:

Cloud edge, where remote, off-network users are accessing the network, and

the Thin edge, such as small branch offices.

Fortinet’s cloud-based SASE solution is called FortiSASE.

Thank you for your time, and please remember to take the quiz that follows this lesson.

36 Getting Started in Cybersecurity 1.0 Lesson Scripts

Fortinet Technologies Inc.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.