1/26/22

Vid 1:

Botnet – command and control server accessible in the internet, that thru a malware installed on some
unsuspecting computers will wait patiently for instructions from the command and control server.

Cyber Criminals

- Getting the network

- Grabbing the personal infos

Spear phishing – emails

Ransomware – extort money, demanding the money to get the encryption key

Cyber Warriors

Espionage, extortion, and embarrassment

- well funded group

Zero Day

Vid 2:

Information Security

Human Firewall

- commonsense

Data Protection

- security and privacy go hand in hand

- Data Privacy: collection, retention, deletion
- Cybersecurity: Protecting networks, devices, data
- Information security: integrity, confidentiality, availability
- Physical security
1. Vulnerability
2. Attackers
3. Attack Surface

Goal of cybersecurity professionals:

1. Identify all the attack surfaces

2. Reduce their size
3. Decrease the risk of attack
 4. Malware

Malicious code classification:

1. Virus
2. Worm
3. Botnet
4. Trojan Horse
5. DDoS
6. Ransomware

Malicious data files are non-executable

Social Engineering

- Obtain trust then exploit

Zero day – an unpatched vulnerability that only an attacker knows about and often sells on the black
market for large sums of money

Recognize potential risks

PII Personally Identifiable Information

GDPR General Data Protection Regulation (Europe)

Protect personal and proprietary data

Vid 3 Passwords Lesson:

 Password Manager

MFA Multi-Factor Authentication

- Physical Token
- One time code

Backup

Archiving

Vid 4 Internet threat lesson:

IoT Internet of Things

Social Engineers / Threat Actors

1. Juice Jacking (public charging)

2. Phishing
3. Ransomware (email, data)
4. Spearphishing, whaling, CEO Fraud and Business Email Compromise (BEC) (specific target)

Mobile Security

Wi-fi Wireless Fidelity

Develop good mobile habits

Email:

Domain Spoofing

Lesson 5: Insider Threat Perspectives

Physical Security Awareness

Insider Threats:

Malicious Insider Threats:

Vid 6:

CIO Chief Information Officer Perspective

- Information technology resources

- People, processes, technology = IT organizations
- Business goals = IT infrastructures

Vid 7:

CISO Chief Information Security Officer Perspective

- CEO, COO, CFO, General counsel

- Then create strategies and programs
- Risk vs Value (assessment)
Vid 8:

CFO Chief Financial Officer Perspective

- Reports to CEO
- Manage Financial Risk of company
- Past, present future
- Past : Looking back, assess report goals and forecasts
- Present: how to invest, capital structure of the company
- ERP Enterprise Resource Planning
- Future: Financial Forecasts
- Valuable Data Assets

Vid 9:

Attack Surface

Assessment 1:

1. It is OK to use the same password for all your online accounts as long as you keep it a
secret
- TRUE
2. What is the first thing you should do if your company is facing ransomware demands?
- Contact the police and do not pay the ransom
3.  Cybersecurity is the responsibility of:
- Everyone in the company
4. What does the “https://” at the beginning of a URL denote, as opposed to
“http://” (without the “s”)?
- That information entered into the site is encrypted
5. I can always trust emails and attachments I get from different people.
- FALSE
6. Brute Force is a way of finding out the right credentials by repetitively trying all the
permutations and combinations of possible credentials.
How can you prevent a brute force attack? (Choose three.)
- Set a minimum length for password ,
- Increase the password complexity ,
- Set a limit on login failures
7. How can data be safeguarded?
-  All of the above
8. When is it ok to reuse a password?
- Never
9. Which of the following is an example of a “phishing” attack?
- All of the above
10. Personal Identifiable Information (PII) is used to verify your identity and distinguish one
person from another. Which of the following is an example of PII?
- All of the above
11. Is someone or something that can cause potential harm and damage to your
organization.
- Threat
12. A phishing attack can harm your personal computer only, but not your company’s
network
- False
13. Are the damages that can be caused to the organization by exploiting vulnerabilities.
- Risks
14.  Cybersecurity is IT's responsibility. The everyday endusers in the office don't need to
worry about this topic
- False
15. What are the common types of cyberattacks an enterprise is likely to face?
- All of the above
16. It assures the information is trustworthy and reliable
- Integrity
17. Is a vulnerability that could happen if an application/network/device is susceptible to
attack due to an insecure configuration option. It can be as simple as keeping the default
username/password unchanged.
- Security misconfiguration
18. What are some ways you can support password security?
- All of the above
19. A collection of rules that limits access to information.
- Confidentiality
20. Possible threat to any information cannot be ________________
- Ignored
21. What is the weakest link in cybersecurity?
- Humans
22. Small businesses are safe from cyber attack(s).
- False
23. Are used by cybercriminals to fool people into believing them as credible individuals to
get them to reveal confidential information such as credit card details, internet banking
credentials, and other sensitive data
- Social engineering attacks
24.  Is a group of internet-connected devices such as servers, PCs, mobile devices, etc.,
that are affected and controlled by malware
-  Botnet
25. If a public Wi-Fi network (such as in an airport or café) requires a password to access, is
it generally safe to use that network for sensitive activities such as online banking?
- No, It is not safe
26. Distributed Denial of Service (DDoS) is a method where cybercriminals flood a network
with so much traffic that it cannot operate or communicate as it normally would.
- Use anti-DDoS services ,
- Use load balancing
27. What is the best way to keep employees from falling for phishing scams?
- Cybersecurity awareness training
 28. Refer to the weakest points in your systems that can be exploited by a cyber-criminal.
- Vulnerabilities
29. It provides reliable access to data for authorized people.
- Availability
30. Your passwords should be easy to remember and hard to guess, which of the following
is an example of strong password?
-  $ayN02#ackers

1/28/22

Bad Actors:

1. The Explorer
2. The Hacktivist
3. Cyber Terrorist
4. Cyber Criminal
5. Cyber Warrior

1/31/22

QUIZ NSE 1

1.  Identify three examples of personally identifiable information (PII). (Choose three.)

- Credit card
- Full name
- Biometrics, such as a fingerprint
2.  Identify two good password practices. (Choose two.)
-  The password should be unique from your other passwords.
-  Replace the password at least twice a year.
3.  Replace the password at least twice a year.
- Use a combination of seemingly random upper and lowercase letters, numbers, and
special characters that is easy to remember but difficult to guess.
4. Which definition best describes personally identifiable information (PII)?
-  Any information that someone can use to identify you
5.  In the context of cybersecurity, which definition best describes social engineering?
- An exploitation of a relationship or interaction to trick a person into divulging sensitive or
personal information
6. An exploitation of a relationship or interaction to trick a person into divulging sensitive or
personal information
- Human error
7. Why are insider threats one of the most challenging attack vectors?
- Employees are trusted users who have legitimate access to an organization’s data and
resources.
 8. Complete the sentence. Phishing attacks are different than spear phishing, whaling, and
vishing because they
- are aimed at a wide audience, while the others are directed toward individuals or specific
organizations.
9. Which method is recommended to manage passwords?
- Use a password manager.
10.  What is the motivation of the bad actor known as the “Explorer”?
- Notoriety
11. What is the goal of the “Cyber Terrorist”?
-  Intimidation through disruption and damage
12. Which method is a defense against potential insider threats?
- Identify and report any suspicious activity.
13. Complete the sentence. A social engineering attack that compromises public charging
stations and installs malware when a portable device plugs in, is known as
- Juice Jacking
14. Which three of the following activities represents data vulnerabilities on a mobile device?
(Choose three.)
- Synchronization between computers and mobile devices
- Social networking
- Banking
15. Who are included as insider threats?
- Employees who sometimes do not follow security practices
16. Which practice should you implement for backups?
- Which practice should you implement for backups?
17. What is the motivation of the “Cyber Terrorist”?
-  Ideology
18.  Identify the best description of vishing.
- A phone exploitation that often relies on caller ID to appear legitimate
19. What are the primary motivations of the “Hacktivist”?
- Political, social, or moral disagreements
20.  Which of the following is a good habit for protecting your mobile device?
-  Change the factory-set default password and username.

2/3/22

Lesson 1: Cloud Security:

Cloud

- Raised overall productivity

- Helped maintain competitive advantage

Visualization

- New way of using old server hardware

 - Comes from old technology and mainframe computing that lets a single computer run the
operating systems and applications from multiple servers simultaneously.
- Consolidates workloads unto fewer servers:
o Increasing utilization
o Saves money

Infrastructure as a Service (IaaS)

- Hardware for rent

Software as a Service (SaaS)

- Run applications with managed services

- Databases that a customer does not need to patch and maintain
- Provides a complete application environment
- Google mail

Platform as a Service (PaaS)

- Services where the cloud provider manages more than the underlying infrastructure such as:
o OS patching
- Becoming increasingly prevalent
- Expensive company-owned hardware capital assets
- Recurring operating cost

Security is the shared responsibility between the cloud provider and the customer utilizing the cloud
service.

Design in layers, security includes:

- Physical components
- Logical components

IaaS cloud infrastructure

- The infrastructure is designed by the vendor to be highly available

Vendor is responsible for infrastructure security

- Responsible for securing access, network traffic and data applications.

Security tools

- Problems:
o Basic security functions
o Same tools vendors use to secure underlying infrastructure

Many organizations operate in a hybrid world

Vendor A IaaS cloud platform, Vendor B cloud platform, Multiple SaaS vendors
Mult-Cloud Environment – a problem where complexity can scale geometricly with the number of cloud
vendors involved.

Fortinet:

1. Fortigate
2. Fortimail
3. Fortiweb
4. Fortisandbox
5. Fortiinsight
6. Fortinet security fabric

Leading IaaS cloud providers:

1. Amazon AWS
2. Microsoft Azure
3. Google cloud
4. VMware
5. Cisco ACI
6. Oracle cloud
7. IBM

LESSON 2: SD-WAN

SD-WAN (Software-defined wide area network)

- Leverages the corporate WAN as well as multi-cloud connectivity to deliver high-speed

application performance.

LANs (Local Area Networks)

- A computer network that expands a wide geographic area and typically consists of two or more
LANs.
SaaS (Software as a Service)
- Sales voice
- Google apps
- Drop box
Increasing hybrid connections and Growth of cloud applications to support underlying business decisions
led to the First Generation of SD-WAN
Point products:
- Escalate complexity to the network infrastructure
SD-WANs’ basic load end technique allowed:
 - Application intelligent business decisions on hybrid WAN links:
o service provider
o broadband
o long-term evolution LTE
- which are the standard for wireless broadband communication for mobile devices and data
terminals
Address these challenges by integrating security and networking functionalities into a single secure SD
WAN Appliance
- this enabled businesses to replace their multiple point products with a powerful single security
appliance
- reduced cost
- ease of management
- business policy workflows make it easy to configure and manage the application it needs
Centralized management console provides
- single pane-of-glass visibility
- Telemetry
o to identify
o troubleshoot

Comprehensive Analytics done

- bandwidth utilization
- application definition
- hack selection
- security threat landscape
not only provide visibility to the extended network but helps administrators to quickly redesign policies
Positive outcome of a secure SD WAN solution are:
- simplification
- consolidation
- cost reduction
- Optimal application performance
- Best user experience for the enterprise
- SaaS
- Unified communications as a Service
- UCaaS
-
One time analytics and telemetry help infrastructure teams coordinate and resolve issues in an
accelerated manner which reduces the number of support tech and network outages
Secure SD-WAN (FortiGate)
Next Generation Fire Wall (NGFW)
Lesson 3: Endpoint Security
Endpoint – any personal device used by an end user, easy way of entry
- Desktop computer
- Laptop
- Handheld device
- Now, it includes Internet of Things (IoTs)
Lesson 4: Firewalls
Packet Filter Firewalls
- That examine the very lowest protocol layers such as:
o Source and destination network addresses
o Protocols
o Port numbers
- Firewall rules use these attributes to define:
o Which package were allowed through
o Packet network address
o Protocol
o Port number
- Drawback
o They took a one size fits all approach

Stateful firewalls
- Second-Generation Firewalls
- Designed to observe this network connection overtime
- Acceptable protocol such as HTTP
HTTP
- Frequently used network protocols
- Used in many ways
- Static text content
- E-commerce
- File hosting
- Web applications
o They use the same port number so the firewall cannot distinct them

Third Generation Firewalls

- These firewalls understood the higher level protocol and the applications inside them and
control different usage of the same basic protocol (Application layer filtering)
- Firewalls with application layer filtering can understand protocols such as:
o HTTP
 Browser traffic
 File sharing site
 E-commerce
 Social media
  Voice-over IP
 Email
o FTP
o DNS
o Others

Next-Generation Firewall (NGFW)

- Has multiple security checkpoint
- Looks at packets and makes rule based decisions whether to allow or drop the traffic
- Deep Packet Inspection (DPI)
- Have the ability to control application
- Application-level security
o Helps protect web browsers and clients from attacks and threats
- Also adopted various segmentation approaches that segregates users, and applications
- By segmenting networks rather than using a flat network, the firewall helps eliminate a single
point of enter
- Deliver high performance inspection
- Greater network visibility
Hybrid data centers offers:
- Agility
- Flexibility
- Scale on demand
o High performance inspection includes:
 Applications
 Compute resources
 Analytics
 Encrypted data
 Data storage
Fortinet Security Fabric
- The FortiGate device is fully integrated with other security products that share intelligence data
and are managed centrally

Lesson 5: Wifi:
Wifi
- Technology for wireless local area networking
- Base on the IEEE 802. 11 standards
Wired Equivalent Privacy (WEP)
- Used a key for traffic using the RC4 keystream
Wi-fi Protected Access (WPA)
 - Added security features that retain the RC4 algorithm which made it easier for users to upgrade
their older devices however it still didn’t solved the fundamentals security problems
Wi-fi Protected Access 2 (WPA2)
- Advanced Encryption Standard (AES)
- From the National Institute of Standards and Technology (NIST)
- New enterprise authentication was added
- The personal users security
o Shard passphrase
- The enterprise security level used
o 802.1x authentication mechanisms

Wi-fi Protected Access 3 (WPA3)

- Released in 2018

Access points (APs)

Honeypots

- Change the Service Set Identifier (SSID)

- Admin default username and password

Lesson 6: Threat intelligence service

Endpoint antivirus products:
- Vendors needed a way to catalogue all the known viruses so that their products could confirm
whether or not a file contained a virus
- Taking a sample of each known virus and generating a signature which represented the contents
of the file, in other words, a fingerprint.
- This virus signature lists were distributed in to antivirus software
- Updates were released monthly
Signature-based scanning
- Being able to change their file content against their will
- Because the file contents changed, their signatures also changed allowing malware to sneak by
the older antivirus products
Polymorphic malware
- Single type of malware becoming an entire malware family or perhaps hundreds of thousands of
different files.
- Each performing the same bad behaviors
Malware-as-a-service
Classic 11 signature approach
- In which each known malware files represented by one signature in the signature file is
obviously not going to scale well given the potential of the number of variations of malware will
count into millions or more each day
Sandboxing products
- Take a suspect file and place it in an environment where its behaviors can be closely analyzed.
- If the file does something malicious while in the sandbox, it is flagged as malware known as
Heuristic Detection.
o Looks for anomaly behavior that is out of the ordinary.

1. Mechanisms of the attack

2. Indicators of compromise IoCs
- Evidence that the attack has happened
3. Implications of the attack
4. Attribution of the adversary
5. Potential motivations

Cyber Threat Alliance

- Membership/organizations
Computer emergency response teams (CERTs)
Realtime sharing of threat intelligence
FortiGuard Labs
- Seek out new avenues of attack

Lesson 7: SOAR
Security Orchestration Automation & Response (SOAR)
- Connects and synchronizes technologies through automation, overseen by human authority.
Enabling security teams to efficiently run security teams and effectively respond to threats.
- Increase security efficiency by automation.
Alert Fatigue
- Performance degradation in the face of flood of alerts
SOAR
- Ties together the tools already present in your security stack
- By pulling data in from all of these sources, SOAR can reduce the amount of context switching
that your analysts have to do.
 - Those processes can be translated into a playbook which is a flowchart like set of steps either
manual or automated which can be repeated on demand.
- Called orchestration and automation
- Investigation
o Checking threat

The Benefits of Implementing SOAR

- Creates an opportunity to optimize an entire operation

- Resulting in streamline responses at machine speed
- SOAR assign alerts to different analysts or team at different stages of the response process
- And for those assigned users to add information to the alert as they work on in
- So that others who reference that alert later, will have additional context on investigation

Playbooks

- Known as:
o Automated processes
o Workflows
o Playbooks
- As a way to response to alerts or incidents the same way every time.
- Playbooks works in lock steps with security teams by taking the steps and analyst with typically
implement when responding to an incident
- Playbooks will take care of competitive tasks such as:
o Compiling data into a report
o Sending emails
o Can pause when human oversight is needed before implementing a firewall block for
instance.
 - Playbooks are the key to SOAR automation capability
- Allowing teams to improve their response speed and consistency while maintaining human
authority of a process
- Leads to reduce analyst workload and chance of error

Use Case Example

Lesson 8: Network Access Control

Network Access Control (NAC)

- Appliance or virtual machine that controls device access to the network

- It begun as a network authentication and authorization method for devices joining the network
which follows the IEEE 802.1X standards

Authentication method:

- Client device
o Provides credentials in the form of a username and password, digital certificate or some
other means to the authenticator which forwards this authenticator to the server
depending on the outcome of authentication.
- Authenticator
o Network switch or Wireless access point that demarks the protected network from the
unprotected network
o The authenticator either block the device or allow access to the network.
- Authentication server

Captive Portal

- Another method to control access to a network especially the publicly available network
- A webpage that asks you to agree to legal terms before granting access
NAC

- Evolved to grant access to

o Guest access
o Bring your own device BYOD
o Internet of Things IoT
 BYOD and IoT
 MIS does not control what runs on these devices
 IoT expands the attack surface

IoT:

Potential conduit for contagion

o Variety of devices
o Lack of standards
o Inability to secure these devices
- Shared secret unique serial number

NAC

- Create profiles of all connected devices

- Permits access to network resources based on the device profile which is defined by function
- Complete visibility
- Categorizing devices
- Effective performance
- Control
- Integrated response with Security Operation Center (SOC)

FortiNAC

Lesson 9: Sandbox

Sandbox

- System that confines the action of an application such as

o Opening a word document or a browser to an isolated virtual environment
- Studies the various application interaction to uncover any malicious intent
- So, if something unexpected or dangerous happened, it affects only the sandbox and not the
other computers and devices on the network.
- Sandbox technology is typically managed by an organizations’ information security team but is
used by network applications and desktop operations teams to bulge their security and their
respective domains
 - Provided an isolated virtual environment that mimics various computer devices, OS, and
applications
- It allowed potential threats to play out within the safety of these virtual systems, if the sandbox
concluded that the suspicious file or activity was benign, no further actions is needed. However,
if a suspicious file is detected, the file will be quarantined or the activity will be stopped in the
real device.

Zero-day Attack

- Exploiting unknown vulnerability

Second Generation Sandbox

- Equipped with more integration tools or partnered with other vendors to improve integration
- As a result, they can share thread intelligence with other security devices (threat analysis
standard with other security devices) such as:
o Firewalls
o Email gateways
o Endpoints
o Sandbox devices
- The new approach to network security allowed analysts:
o to correlate threat intelligence centrally
o Respond to threats from a single pane-of-glass
- Threat intelligence service in the cloud

Third Generation Sandbox

- AI generated attacks
- Threat analysis standard
- Needed to cover the expanding attack surfaces
- Digital transformation
o Refers to the movement of business data, applications and infrastructure to the cloud

MITRE

- Non-profit organization
- Proposed the ATT&CK Framework
o Describes standard malware characteristics categorically.
o It provided security devices with common language used in which to Identify, describe,
and categorize threats which could be shared with and understood by other devices.

Operation Technology OT Industry

- Includes utilities, manufacturing, oil, gas and many others

- OT networks access corporate and third-party vendor networks

AWS
 - Provides:
o Applications
o Platforms
o Infrastructure as a Service in the public cloud

Sandbox technology evolved to provide wider coverage to these areas and others as they developed.

FortiSandbox

Security Fabric

FortiGuard Labs

Lesson 10: SIEM

Security Information and Event Management (SIEM)

- Introduced in 2005
- Analyzes security alerts in real time
- Does 3 things:
o Collect normalize and store log events in the organizations’ network and security
devices, servers, DB, applications, and endpoints in a secure central location, both
physical and virtual
o Run advance analytics on the data both in real time and across historical data
- Simple cross-correlation rules
- User-behavioral anomalies
- Indicators of compromise IoC
- Machine Learning
o Prove security controls are in place and effective

Examples of Regulatory compliance

- Payment card industry PCI

- Sarbanes-Oxley Act
- Health insurance portability and accountability act HIPAA
- General Data Protection Regulation GDPR 2018

2nd stage of development

SIEM vendors added threat detection capabilities

- Built-in threat intelligence

- Historical and real time threat analytics
- User and entity behavior analytics UEBA
- Machine learning

The situation was exacerbated by two factors

 1. IT security suffered from insufficient numbers of qualified professionals
2. Siloed approach used in Network Operations Centers NOCs and Security Operations Centers
SOCs increases complexity

SIEM has evolved from

- An information platform >

o Threat intelligence center >
 Fully integrated and automated center for security and network operations

FortiSIEM

Lesson 11: Web Application Firewall

Web Application Firewall (WAF)

- Appliance or software that monitors and blocks HTTP traffic to and from the web application
- It differs to a traditional edge firewall and that it targets the content from specific web
applications and at the application level while edge firewalls fashion secure gateways in the local
area network (LAN) and outside servers in the network level specifically by inspecting HTTP
traffic
- Web application security flaws such as:
o SQL injection
 Asks for a user id and password abc1234 or 2+2=4
o Cross-site scripting
o File inclusion
o Security misconfigurations
- WAF ancestors:
o Early application firewall 1990s
 File transfer protocol (FTP)
 Remote shell (RSH)
 Command line computer program

First generation WAF

- Blacklists
- Signature-based HTTP attributes

2nd generation WAF

- An element of machine learning

- Web applications
- White lists (legitimates web applications
- Blacklists
- Session monitoring heuristics
o Permitted the firewall to detect various of known signatures
- No defense on Zero-day attack
3rd generation WAF

- Behavior analysis can be done in machine speeds and can adapt the ever changing attributes of
the threat
- Augmented to the firewall
o Distributed denial of service
o IP reputation
o Anti-virus
o Data Leak Prevention (DLP)
o Monitor HTTP behavior
o Enforce user role permissions
- Interlocking defense
- Sandbox – zero day attack
- New informations are uploaded to Threat intelligence center

FortiWeb

- FortiGate
- FortiSandbox
- FortiGuard

Lesson 12: Secure Email Gateway

Spam

- Act of sending irrelevant and unsolicited messages on the internet to a large number of
recipients

Phishing

- The fraudulent practice of sending emails purporting to be from a reputable source

Spam filters

- Stops spams and phishing emails

- Identifying specific words or patterns

Sender Policy Framework SPF

- Email authentication method that detects bogus sender addresses and emails

Anti-Phishing Working Group (APWG)

- Recorded 165772 phishing sites

- Secure email gateways
- Antivirus scanners
- Threat emulation
- Sandboxing
- Data Loss Prevention DLP
 o Detect and stop the aggressive sensitive data
o Integrated fabric of security

FortiMail

FortiManager

FortiGuard Labs

Lesson 13: Web Filter

Why? Security and objectional content

Web Filter

- Application that examines incoming web pages to determine if some or all of the contents
should be block
- The web filters make these decisions based on rules set in place by the organization or individual
who install the application
- Can stablish different rules for different types of users

Children’s internet protection act CIPA

- 2004
- Requiring all public computers in the library to have web filters

Filters that could block

- Adware
- Spam
- Viruses
- Spyware

Web Filtering forms the:

- First line of defense against web-based attacks

- Added to:
o Firewalls
o Proxy servers
o Sandbox technology
o Wireless access points

How does it work?

- A web filter can console the URL database that stores websites and domains that are known to
host malware, phishing and other harmful tools

URL found in:

- Deny List
 - Allow List

Filter that uses:

- Keyword
- Pre-defined content

Machine learning is the next step in building more effective web filters

FortiClient

FortiGate

FortiAP