Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

Added to CISA's Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to obtain the configuration file from affected systems and to add a malicious super_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

Increase in Scanning Activity for the Flaw

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

A Popular Attacker Target

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply [the] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

SUNNYVALE, Calif., Oct. 03, 2022 (GLOBE NEWSWIRE) --

News Summary
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, announced that it will hold a conference call to discuss its third quarter 2022 financial results on Wednesday, November 2, at 1:30 p.m. Pacific Time (4:30 p.m. Eastern Time).

Fortinet's financial results conference call will be broadcast live in listen-only mode on the company’s investor relations website at http://investor.fortinet.com. While not required, it is recommended that you join at least 10 minutes prior to the event start.

The CEO and CFO’s prepared remarks, supplemental slides and a call replay will be accessible from the Quarterly Earnings page on the Investor Relations page of Fortinet's website at https://investor.fortinet.com/quarterly-earnings.

About Fortinet
Fortinet (NASDAQ: FTNT) makes possible a digital world that we can always trust through its mission to protect people, devices, and data everywhere. This is why the world’s largest enterprises, service providers, and government organizations choose Fortinet to securely accelerate their digital journey. The Fortinet Security Fabric platform delivers broad, integrated, and automated protections across the entire digital attack surface, securing critical devices, data, applications, and connections from the data center to the cloud to the home office. Ranking #1 in the most security appliances shipped worldwide, more than 595,000 customers trust Fortinet to protect their businesses. And the Fortinet NSE Training Institute, an initiative of Fortinet’s Training Advancement Agenda (TAA), provides one of the largest and broadest training programs in the industry to make cyber training and new career opportunities available to everyone. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

FTNT-F

Copyright © 2022 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiCore, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAP, FortiAppEngine, FortiAppMonitor, FortiAuthenticator, FortiBalancer, FortiBIOS, FortiBridge, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCenter, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDirector, FortiDNS, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLocator, FortiLog, FortiMeter, FortiMoM, FortiMonitor, FortiNAC, FortiPartner, FortiPenTest, FortiPhish, FortiPortal, FortiPresence , FortiProtect, FortiProxy, FortiRecorder, FortiReporter, FortiSASE, FortiScan, FortiSDNConnector, FortiSIEM, FortiSDWAN, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiVoIP, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLCOS and FortiWLM.

Story continues

Other trademarks belong to their respective owners. Fortinet has not independently Verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments. This news release may contain forward-looking statements that involve uncertainties and assumptions, such as statements regarding technology releases among others. Changes of circumstances, product release delays, or other risks as stated in our filings with the Securities and Exchange Commission, located at www.sec.gov, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements.

Fortinet has confirmed that the critical vulnerability whose existence came to light last week is a zero-day flaw that has been exploited in at least one attack.

The company privately informed some customers last week about the availability of patches and workarounds for an authentication bypass vulnerability exposing FortiOS and FortiProxy products to remote attacks.

The flaw, tracked as CVE-2022-40684, can allow a remote, unauthenticated attacker to perform unauthorized operations on the targeted appliance’s admin interface using specially crafted HTTP or HTTPS requests.

Fortinet on Monday made public an advisory for CVE-2022-40684 and warned that it’s aware of one attack involving exploitation of the zero-day. The company has provided an indicator of compromise (IoC) that customers can use to check if their appliances have been hacked.

It’s likely that exploitation of the vulnerability occurred before Fortinet released a patch. Limited exploitation of a security flaw typically suggests that a sophisticated threat actor — likely a state-sponsored group — is behind the attacks.

However, details and proof-of-concept (PoC) exploits are expected to become publicly available in the coming days, which will allow other threat actors to add the exploit to their toolset.

Researcher Carlos Vieira said the vulnerability is “really simple to exploit and easy to weaponize” and warned that exploitation can lead to a full device takeover.

SANS Institute reported seeing an increase in scans for an old Fortigate vulnerability and the company believes someone may be trying to create a list of potential targets for CVE-2022-40684 exploitation.

According to Fortinet’s advisory, in addition to FortiProxy web gateways and security appliances running FortiOS, the flaw impacts FortiSwitch Manager, the management platform for FortiSwitch switches. Versions 7.0.x and 7.2 are affected and patches are included in versions 7.0.7, 7.2.1 and 7.2.2.

There are many vulnerable devices that are exposed to the internet, which makes widespread exploitation very likely. It’s not uncommon for threat actors to target Fortinet devices in their attacks.

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Fortinet has privately informed some customers about a critical and remotely exploitable vulnerability that poses a significant risk.

The cybersecurity firm does not appear to have released a public advisory, but in emails sent to customers the company revealed that its FortiOS and FortiProxy products are affected by a critical authentication bypass vulnerability on the admin interface. The issue is tracked as CVE-2022-40684.

The email has only been distributed to ‘select customers’ and it’s marked as ‘strictly confidential’, with recipients instructed not to share it outside their organization. However, copies of the email have been shared on social media and even on Fortinet forums by customers.

“Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel [CWE-88] in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said.

The company has instructed customers to immediately update their products due to attackers being able to remotely exploit the vulnerability.

FortiOS versions between 7.0.0 and 7.0.6, and between 7.2.0 and 7.2.1 are affected, as well as FortiProxy 7.0.0 through 7.0.6 and 7.2.0. FortiOS patches are included in versions 7.0.7 and 7.2.2, and fixes for FortiProxy are included in 7.0.7 and 7.2.1. There have also been some unconfirmed reports that versions 6.x.x could also be impacted.

Users can also prevent attacks by ensuring that only trusted IP addresses can reach the affected products’ administrative interface.

Threat intelligence company GreyNoise says it will be keeping an eye out for exploitation attempts, but for the time being there is not enough information for them to be able to identify attacks.

Threat intelligence firm Cyberthint reported seeing more than 150,000 potentially vulnerable Fortinet product instances that are exposed to the internet.

While it’s unclear if attacks exploiting CVE-2022-40684 have already begun, it’s not uncommon for threat actors to target vulnerabilities in Fortinet products.

UPDATE: Fortinet has made its advisory public. The company has also informed customers about CVE-2022-33873, which allows an unauthenticated remote attacker to execute arbitrary commands in the underlying shell.

UPDATE 2: Fortinet has confirmed that CVE-2022-40684 is zero-day that has been exploited in at least one attack. 

Related: Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks

Related: CISA Expands 'Must-Patch' List With Log4j, FortiOS, Other Vulnerabilities

Related: Fortinet Patches High-Severity Vulnerabilities in Several Products

Related: Tens of Thousands of Unpatched Fortinet VPNs Hacked via Old Security Flaw

Fortinet Training Institute Furthers Global Mission to Expand Access to Cyber Training for Untapped Talent and to Advance Skills for Cyber Professionals

Fortinet Training Institute Overview

SUNNYVALE, Calif., Oct. 03, 2022 (GLOBE NEWSWIRE) --

John Maddison, EVP of Products and CMO at Fortinet
“Fortinet has a long history of working to close the cyber skills gap, and we are proud to share we recently hit a significant milestone by achieving more than 1 million Network Security Expert (NSE) certifications issued to date. Continued learning through training and certifications is a critical way to stay ahead of cyber adversaries who are constantly evolving their attack strategies and methods. This is why Fortinet’s Training Institute is dedicated to offering award-winning cyber training and certifications for security professionals to upskill and advance their knowledge or for those considering reskilling. At the same time, for organizations looking to build cyber awareness in their employees and strengthen their security posture, the Fortinet Training Institute offers its Security Awareness and Training service.”

News Summary
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, today announced it has issued more than 1 million Network Security Expert (NSE) certifications to date, further advancing its commitment to close the cybersecurity skills gap. Adding to this milestone, Fortinet continues to expand the global impact of its training and certification programs with the addition of new courses in priority cybersecurity areas, new training partners, and by expanding access to cyber training to empower untapped talent. Fortinet also continues to help organizations build a cyber-aware workforce through its existing Security Awareness and Training Service and through a recent initiative tied to the 2022 White House National Cyber Workforce and Education Summit, by providing a tailored version of the service available for K-12 school districts in the United States free of charge.

Story continues

Advancing Skill Sets in Cybersecurity Professionals to Keep Up with Threats
With more than 80% of breaches being attributed to a lack of cyber skills according to a global 2022 Fortinet report, the cybersecurity skills gap continues to be a top-of-mind concern for organizations. In an effort to help close the cyber skills gap, Fortinet – through its Training Advancement Agenda (TAA) and Fortinet Training Institute initiatives – is focused on upskilling security professionals to stay ahead of threats with the following efforts:

• Validating Skills and Experience with NSE Certifications: As part of Fortinet’s progress to close the skills gap, the Fortinet Training Institute achieved the milestone of over 1 million NSE certifications issued to date. The eight-level training and certification program is designed to provide technical professionals with independent validation of their security and networking skills as well as work experience. Fortinet’s 2022 Global Skills Gap report revealed that 95% of leaders believe technology-focused certifications positively impact their role and their team, while 81% of leaders prefer to hire people with certifications. The Fortinet Training Institute aims to provide professionals the opportunity not only to gain skills to ward off cyber threats, but also career growth opportunities, as leaders value certifications. In addition, the NSE training curriculum is easily accessible to empower access to learning and is offered in instructor-led, virtual instructor-led, and free self-paced training formats.

• Developing Courses in Key Cybersecurity Areas Across all Industries: The Fortinet Training Institute is continuously updating its training with content that is relevant and dynamic for the issues and challenges cyber professionals face today. For example, the OT Security curriculum, as part of NSE level 7, provides a solid understanding of how to design, implement and operate an OT security solution for critical infrastructures. Other syllabu areas where the Fortinet Training Institute has expanded its curriculum include Zero Trust Network Access and Secure SD-WAN, among others. Additionally, Fortinet offers low-cost labs to further advance skill sets for anyone taking technical, advanced or expert level training.

• Leveraging Threat Intelligence from FortiGuard Labs in Curriculum: The Fortinet Training Institute curriculum is developed by Fortinet’s world-class trainers and curriculum developers with an in-depth knowledge of industry-leading technology and the evolving threat landscape. The training curriculum is augmented with threat intelligence from FortiGuard Labs, a global research team comprised of experienced threat hunters, researchers, analysts, engineers, and data scientists. In addition, the curriculum is designed to evolve based on the latest threat intelligence from FortiGuard Labs, ensuring that anyone taking training or pursuing certifications obtains the most relevant skills and knowledge.

• Offering Opportunities for Professionals to Upskill Through Fortinet’s Global Authorized Training Centers: Fortinet Authorized Training Centers (ATCs) are a network of accredited training organizations in more than 130 countries and territories around the world, teaching in 26 different languages. ATCs deliver the Fortinet Training Institute’s cybersecurity training in local languages. New ATCs that have recently joined the program, extend the availability of Fortinet’s training to security professionals around the world, including: Exclusive Networks (USA), Wavelink (Australia), HRP (Hungary), and DACAS (The Caribbean).

Expanding Access to Cyber Training and Empowering Untapped Talent
Fortinet is increasing access to its cybersecurity training so that more people, regardless of their educational background, current career or life experience, can access cyber courses and help kickstart a career in cybersecurity. Fortinet is also empowering untapped talent pools, including women, students, veterans and more, to reskill or expand their skills for a career in cyber, helping to address the industry talent shortage. As part of this focus, Fortinet made a commitment in September of 2021 to train 1 million people in cybersecurity over 5 years between 2022-2026 and is on track to meet this through various initiatives, including:

• Enhancing organizations’ cybersecurity awareness training for all employees with the Security Awareness and Training Service: Any company can easily deploy the Fortinet Training Institute’s Security Awareness and Training Service to further protect their security posture by advancing all their employees’ cyber skill sets and knowledge. This service introduced earlier this year is a SaaS-based offering that delivers timely awareness training on today’s cybersecurity threats. It helps IT, security, and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks.

• Offering a Free Security Awareness and Training Service for K-12 School Districts in the U.S.: Fortinet announced that it has made its Security Awareness and Training Service available to K-12 school districts across the United States free of cost, making the training available to approximately 8 million faculty and staff. Educational institutions have seen an increase in bring your own devices (BYOD) making schools and students more vulnerable to cyber threats due to the expanding attack surface and, thus, must ensure they are securing their critical digital assets and sensitive information. With the tailored service, school districts can implement training for staff and faculty to expand their cyber knowledge and skills, so they don’t fall victim to popular threat methods as part of the overall school cybersecurity strategies.

• Expanding Academic Partner and Education Outreach Programs Partnerships: With more than 470 Authorized Academic Partners worldwide across more than 90 countries and territories, the Fortinet Training Institute continues to work with education institutions globally to help prepare the cyber workforce of the future. Among the new institutions worldwide that have joined the Academic Partner Program are: Universidad Panamericana (UP) in Mexico,Technological University of Queretaro (UTEQ) in Mexico, KLE Tech University in India, South Regional TAFE in Australia, Università of Tor Vergata of Roma in Italy, Cybersecurity Business School in France, UIB - Universitat de les Illes Balears in Spain, Polytechnic Institute of Guarda in Portugal, University West - Högskolan Väst in Sweden, South Texas College in the United States and more. As Authorized Academic Partners, these institutions are using Fortinet’s award-winning technical training in their classrooms and providing students with valuable industry certifications to add to their resumes upon graduation.

  Similarly, the Education Outreach Program is expanding Fortinet’s reach by partnering with additional organizations that represent traditionally underrepresented groups in the high-tech sector such as women, veterans, economically disadvantaged and more. New outreach partners include Cerco IT and National Economic Education Trust (NEET).
  

Supporting Quotes

“The number of skilled cybersecurity professionals is not growing fast enough to fill the nearly 3 million unfilled cybersecurity positions worldwide. To help solve this critical issue, I co-founded the Cybersecurity Business School in France, which is delivering two programs: a Bachelor of Cybersecurity Specialist and a Master of Cybersecurity Manager. A key part of our program is the Fortinet Training Institute’s Network Security Expert (NSE) training and certifications developed by industry experts, which we are leveraging to incorporate real-world teachings about critical security areas. Implementing Fortinet’s training in our classes and Fortinet security devices in our SOC, IT & OT simulation platform is allowing us to provide a robust curriculum to our students and to further develop the cybersecurity workforce of the future.”        
-Thomas Guilloux, Co-Founder and Technical & Industrial Director at the Cybersecurity Business School in France

“Polytechnic Institute of Guarda (IPG) is excited to partner with Fortinet as part of its Academic Partner Program. In a world amid digital transition, cybersecurity is a big issue today, and its global importance goes beyond impacting only IT teams. Therefore, for the teachers and researchers of the Polytechnic Institute of Guarda, having access to training from an industry-leading company like Fortinet is a very enriching experience. At the same, our students are acquiring know-how and certifications to work in an area with a huge shortage of qualified human resources directly from the current world leader in the area. As a result of this collaboration, Polytechnic Institute of Guarda will have a very relevant impact on the region and across the country in helping address the skills gap by preparing the future workforce. According to a report prepared by Fortinet in 2021, 80% of organizations that suffered cyberattacks attributed it to the lack of skills of their staff in the area of ​​cybersecurity. In Portugal, at the Polytechnic Institute of Guarda, the Fortinet Academy is contributing to making the country digitally safer.”
- Joaquim Brigas, President at the Polytechnic Institute of Guarda

“Today's organizations need professionals knowledgeable on syllabus related to digital security so that, with the advancement of technology, they know how to mitigate the growing number of threats and vulnerabilities. We have the responsibility to prepare our students in Mexico to take on the task of preventing cyberattacks to protect important information and organizations. Our collaboration with Fortinet is a testament of this commitment. With this agreement, the Universidad Panamericana (UP) further provides high-level training in IT and reiterates its commitment to continue preparing its students for digital transformation in areas related to cybersecurity”.
- Juan Carlos García, director of Digital Transformation at the Universidad Panamericana in Mexico

“To grant our candidates (ex-military or otherwise) access to the NSE training curriculum is a huge step forward in creating highly skilled IT professionals and enables us to further address the shortfall in the UK’s cybersecurity talent pool. We are thrilled to collaborate with the global leader in network security and are excited to be working with such a strong, internationally recognised training programme focused on closing the cyber skills gap.”
- Chris Barlow, MD of Cerco IT

“To address the skills gaps and provide training for skills that are in high demand, NEET has identified a need for training the unemployed youth in Forth Industrial Revolutions (4IR) skills and paying immediate attention to addressing cybersecurity skills gaps, which will be carried out by NEET 4IR Academy. Fortinet, as a global leader in broad, integrated and automated cybersecurity solutions, aligns quite perfectly as a strategic partner to help us achieve our organizational mission and vision in a manner that is both meaningful and impactful to our communities.”
- Thomas Sithole, Chairman at National Economic Education Trust (NEET)

Additional Resources

About Fortinet
Fortinet (NASDAQ: FTNT) makes possible a digital world that we can always trust through its mission to protect people, devices, and data everywhere. This is why the world’s largest enterprises, service providers, and government organizations choose Fortinet to securely accelerate their digital journey. The Fortinet Security Fabric platform delivers broad, integrated, and automated protections across the entire digital attack surface, securing critical devices, data, applications, and connections from the data center to the cloud to the home office. Ranking #1 in the most security appliances shipped worldwide, more than 595,000 customers trust Fortinet to protect their businesses. And the Fortinet NSE Training Institute, an initiative of Fortinet’s Training Advancement Agenda (TAA), provides one of the largest and broadest training programs in the industry to make cyber training and new career opportunities available to everyone. Learn more at https://www.fortinet.com, the Fortinet Blog, and FortiGuard Labs.

FTNT-O

Copyright © 2022 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest, FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other trademarks belong to their respective owners. Fortinet has not independently Verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.

A video accompanying this announcement is available at: https://www.globenewswire.com/NewsRoom/AttachmentNg/446402a9-3c18-4c27-bc56-68455d6aa356

Fortinet warned that its FortiGate firewalls and FortiProxy web proxies may be affected by a exact vulnerability. The vulnerability allows cybercriminals to bypass authentication measures.

According to the security vendor, the issue involves CVE-2022-40684, a vulnerability that allows cybercriminals to bypass the authentication of administrative interfaces in FortiGate firewall and FortiProxy web proxy environments. Ultimately, the vulnerability lets cybercriminals access unpatched devices.

Authentication bypass

The bypass uses an alternate channel (CWE-88) in FortiProxy and operating system FortiOS. This allows cybercriminals to perform actions on the administrative interface via HTTP or HTTPS requests.

According to Fortinet, the vulnerability is very critical and should be addressed by customers immediately. The vulnerability is present in systems running FortiOS versions 7.0.0 to 7.0.6 and 7.2.0 to 7.2.1, as well as FortiProxy versions 7.0.0 to 7.0.6 and 7.2.0. All corresponding devices should be updated to FortiOS 7.0.7 and FortiProxy 7.2.2 as soon as possible.

Workaround available

A workaround is available for companies that cannot implement the patch on short notice. The workaround was suggested by Fortinet and involves limiting the IP addresses that administrative interfaces can reach with a local-in policy. The security vendor also recommends disabling remote administrative interfaces to block attacks.

Tip: FortiEDR is more than EDR thanks to security fabric integration and pro-active monitoring

Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices.

Tracked as CVE-2022-40684 (CVSS score: 9.6), the critical flaw relates to an authentication bypass vulnerability that may permit an unauthenticated adversary to carry out arbitrary operations on the administrative interface via a specially crafted HTTP(S) request.

The issue impacts the following versions, and has been addressed in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1 released this week:

• FortiOS - From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
• FortiProxy - From 7.0.0 to 7.0.6 and 7.2.0

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," the company cautioned in an alert shared by a security researcher who goes by the alias Gitworm on Twitter.

As temporary workarounds, the company is recommending users to disable internet-facing HTTPS Administration until the upgrades can be put in place, or alternatively, enforce a firewall policy to "local-in traffic."

When reached for a comment, Fortinet acknowledged the advisory and noted that it's delaying public notice until its customers have applied the fixes.

"Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization," the company said in a statement shared with The Hacker News. "Customer communications often detail the most up-to-date guidance and recommended next steps to best protect and secure their organization."

"There are instances where confidential advance customer communications can include early warning on advisories to enable customers to further strengthen their security posture, which then will be publicly released in the coming days to a broader audience. The security of our customers is our first priority."

SUNNYVALE, Calif., Oct. 03, 2022 (GLOBE NEWSWIRE) --

John Maddison, EVP of Products and CMO at Fortinet

“Fortinet has a long history of working to close the cyber skills gap, and we are proud to share we recently hit a significant milestone by achieving more than 1 million Network Security Expert (NSE) certifications issued to date. Continued learning through training and certifications is a critical way to stay ahead of cyber adversaries who are constantly evolving their attack strategies and methods. This is why Fortinet’s Training Institute is dedicated to offering award-winning cyber training and certifications for security professionals to upskill and advance their knowledge or for those considering reskilling. At the same time, for organizations looking to build cyber awareness in their employees and strengthen their security posture, the Fortinet Training Institute offers its Security Awareness and Training service.”

News Summary

Fortinet ® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, today announced it has issued more than 1 million Network Security Expert (NSE) certifications to date, further advancing its commitment to close the cybersecurity skills gap. Adding to this milestone, Fortinet continues to expand the global impact of its training and certification programs with the addition of new courses in priority cybersecurity areas, new training partners, and by expanding access to cyber training to empower untapped talent. Fortinet also continues to help organizations build a cyber-aware workforce through its existing  Security Awareness and Training Service and through a recent  initiative  tied to the 2022 White House National Cyber Workforce and Education Summit, by providing a tailored version of the service available for K-12 school districts in the United States free of charge.

Advancing Skill Sets in Cybersecurity Professionals to Keep Up with Threats

With more than 80% of breaches being attributed to a lack of cyber skills according to a global 2022 Fortinet report, the cybersecurity skills gap continues to be a top-of-mind concern for organizations. In an effort to help close the cyber skills gap, Fortinet – through its Training Advancement Agenda (TAA) and Fortinet Training Institute initiatives – is focused on upskilling security professionals to stay ahead of threats with the following efforts:

• Validating Skills and Experience with NSE Certifications: As part of Fortinet’s progress to close the skills gap, the Fortinet Training Institute achieved the milestone of over 1 million NSE certifications issued to date. The eight-level training and certification program is designed to provide technical professionals with independent validation of their security and networking skills as well as work experience. Fortinet’s 2022 Global Skills Gap report revealed that 95% of leaders believe technology-focused certifications positively impact their role and their team, while 81% of leaders prefer to hire people with certifications. The Fortinet Training Institute aims to provide professionals the opportunity not only to gain skills to ward off cyber threats, but also career growth opportunities, as leaders value certifications. In addition, the NSE training curriculum is easily accessible to empower access to learning and is offered in instructor-led, virtual instructor-led, and free self-paced training formats.
• Developing Courses in Key Cybersecurity Areas Across all Industries: The Fortinet Training Institute is continuously updating its training with content that is relevant and dynamic for the issues and challenges cyber professionals face today. For example, the OT Security curriculum, as part of NSE level 7, provides a solid understanding of how to design, implement and operate an OT security solution for critical infrastructures. Other syllabu areas where the Fortinet Training Institute has expanded its curriculum include Zero Trust Network Access and Secure SD-WAN, among others. Additionally, Fortinet offers low-cost labs to further advance skill sets for anyone taking technical, advanced or expert level training.
• Leveraging Threat Intelligence from FortiGuard Labs in Curriculum: The Fortinet Training Institute curriculum is developed by Fortinet’s world-class trainers and curriculum developers with an in-depth knowledge of industry-leading technology and the evolving threat landscape. The training curriculum is augmented with threat intelligence from FortiGuard Labs, a global research team comprised of experienced threat hunters, researchers, analysts, engineers, and data scientists. In addition, the curriculum is designed to evolve based on the latest threat intelligence from FortiGuard Labs, ensuring that anyone taking training or pursuing certifications obtains the most relevant skills and knowledge.
• Offering Opportunities for Professionals to Upskill Through Fortinet’s Global Authorized Training Centers: Fortinet Authorized Training Centers (ATCs) are a network of accredited training organizations in more than 130 countries and territories around the world, teaching in 26 different languages. ATCs deliver the Fortinet Training Institute’s cybersecurity training in local languages. New ATCs that have recently joined the program, extend the availability of Fortinet’s training to security professionals around the world, including: Exclusive Networks (USA), Wavelink (Australia), HRP (Hungary), and DACAS (The Caribbean).

Expanding Access to Cyber Training and Empowering Untapped Talent

Fortinet is increasing access to its cybersecurity training so that more people, regardless of their educational background, current career or life experience, can access cyber courses and help kickstart a career in cybersecurity. Fortinet is also empowering untapped talent pools, including women, students, veterans and more, to reskill or expand their skills for a career in cyber, helping to address the industry talent shortage. As part of this focus, Fortinet made a commitment in September of 2021 to train 1 million people in cybersecurity over 5 years between 2022-2026 and is on track to meet this through various initiatives, including:

• Enhancing organizations’ cybersecurity awareness training for all employees with the Security Awareness and Training Service: Any company can easily deploy the Fortinet Training Institute’s Security Awareness and Training Service to further protect their security posture by advancing all their employees’ cyber skill sets and knowledge. This service introduced earlier this year is a SaaS-based offering that delivers timely awareness training on today’s cybersecurity threats. It helps IT, security, and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks.
• Offering a Free Security Awareness and Training Service for K-12 School Districts in the U.S.: Fortinet announced that it has made its Security Awareness and Training Service available to K-12 school districts across the United States free of cost, making the training available to approximately 8 million faculty and staff. Educational institutions have seen an increase in bring your own devices (BYOD) making schools and students more vulnerable to cyber threats due to the expanding attack surface and, thus, must ensure they are securing their critical digital assets and sensitive information. With the tailored service, school districts can implement training for staff and faculty to expand their cyber knowledge and skills, so they don’t fall victim to popular threat methods as part of the overall school cybersecurity strategies.
• Expanding Academic Partner and Education Outreach Programs Partnerships: With more than 470 Authorized Academic Partners worldwide across more than 90 countries and territories, the Fortinet Training Institute continues to work with education institutions globally to help prepare the cyber workforce of the future. Among the new institutions worldwide that have joined the Academic Partner Program are: Universidad Panamericana (UP) in Mexico,Technological University of Queretaro (UTEQ) in Mexico, KLE Tech University in India, South Regional TAFE in Australia, Università of Tor Vergata of Roma in Italy, Cybersecurity Business School in France, UIB - Universitat de les Illes Balears in Spain, Polytechnic Institute of Guarda in Portugal, University West - Högskolan Väst in Sweden, South Texas College in the United States and more. As Authorized Academic Partners, these institutions are using Fortinet’s award-winning technical training in their classrooms and providing students with valuable industry certifications to add to their resumes upon graduation.

  Similarly, the Education Outreach Program is expanding Fortinet’s reach by partnering with additional organizations that represent traditionally underrepresented groups in the high-tech sector such as women, veterans, economically disadvantaged and more. New outreach partners include Cerco IT and National Economic Education Trust (NEET).
  

Supporting Quotes

“The number of skilled cybersecurity professionals is not growing fast enough to fill the nearly 3 million unfilled cybersecurity positions worldwide. To help solve this critical issue, I co-founded the Cybersecurity Business School in France, which is delivering two programs: a Bachelor of Cybersecurity Specialist and a Master of Cybersecurity Manager. A key part of our program is the Fortinet Training Institute’s Network Security Expert (NSE) training and certifications developed by industry experts, which we are leveraging to incorporate real-world teachings about critical security areas. Implementing Fortinet’s training in our classes and Fortinet security devices in our SOC, IT & OT simulation platform is allowing us to provide a robust curriculum to our students and to further develop the cybersecurity workforce of the future.”        

- Thomas Guilloux, Co-Founder and Technical & Industrial Director at the Cybersecurity Business School in France

“Polytechnic Institute of Guarda (IPG) is excited to partner with Fortinet as part of its Academic Partner Program. In a world amid digital transition, cybersecurity is a big issue today, and its global importance goes beyond impacting only IT teams. Therefore, for the teachers and researchers of the Polytechnic Institute of Guarda, having access to training from an industry-leading company like Fortinet is a very enriching experience. At the same, our students are acquiring know-how and certifications to work in an area with a huge shortage of qualified human resources directly from the current world leader in the area. As a result of this collaboration, Polytechnic Institute of Guarda will have a very relevant impact on the region and across the country in helping address the skills gap by preparing the future workforce. According to a report prepared by Fortinet in 2021, 80% of organizations that suffered cyberattacks attributed it to the lack of skills of their staff in the area of ​​cybersecurity. In Portugal, at the Polytechnic Institute of Guarda, the Fortinet Academy is contributing to making the country digitally safer.”

- Joaquim Brigas, President at the Polytechnic Institute of Guarda

“Today's organizations need professionals knowledgeable on syllabus related to digital security so that, with the advancement of technology, they know how to mitigate the growing number of threats and vulnerabilities. We have the responsibility to prepare our students in Mexico to take on the task of preventing cyberattacks to protect important information and organizations. Our collaboration with Fortinet is a testament of this commitment. With this agreement, the Universidad Panamericana (UP) further provides high-level training in IT and reiterates its commitment to continue preparing its students for digital transformation in areas related to cybersecurity”.

- Juan Carlos García, director of Digital Transformation at the Universidad Panamericana in Mexico

“To grant our candidates (ex-military or otherwise) access to the NSE training curriculum is a huge step forward in creating highly skilled IT professionals and enables us to further address the shortfall in the UK’s cybersecurity talent pool. We are thrilled to collaborate with the global leader in network security and are excited to be working with such a strong, internationally recognised training programme focused on closing the cyber skills gap.”

- Chris Barlow, MD of Cerco IT

“To address the skills gaps and provide training for skills that are in high demand, NEET has identified a need for training the unemployed youth in Forth Industrial Revolutions (4IR) skills and paying immediate attention to addressing cybersecurity skills gaps, which will be carried out by NEET 4IR Academy. Fortinet, as a global leader in broad, integrated and automated cybersecurity solutions, aligns quite perfectly as a strategic partner to help us achieve our organizational mission and vision in a manner that is both meaningful and impactful to our communities.”

- Thomas Sithole, Chairman at National Economic Education Trust (NEET)

Additional Resources

About Fortinet

Fortinet (NASDAQ: FTNT) makes possible a digital world that we can always trust through its mission to protect people, devices, and data everywhere. This is why the world’s largest enterprises, service providers, and government organizations choose Fortinet to securely accelerate their digital journey. The Fortinet Security Fabric platform delivers broad, integrated, and automated protections across the entire digital attack surface, securing critical devices, data, applications, and connections from the data center to the cloud to the home office. Ranking #1 in the most security appliances shipped worldwide, more than 595,000 customers trust Fortinet to protect their businesses. And the Fortinet NSE Training Institute, an initiative of Fortinet’s Training Advancement Agenda (TAA), provides one of the largest and broadest training programs in the industry to make cyber training and new career opportunities available to everyone. Learn more at  https://www.fortinet.com, the  Fortinet Blog, and  FortiGuard Labs.

FTNT-O

Copyright © 2022 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest, FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other trademarks belong to their respective owners. Fortinet has not independently Verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.

A video accompanying this announcement is available at:  https://www.globenewswire.com/NewsRoom/AttachmentNg/446402a9-3c18-4c27-bc56-68455d6aa356

Fortinet Training Institute Furthers Global Mission to Expand Access to Cyber Training for Untapped Talent and to Advance Skills for Cyber Professionals

SUNNYVALE, Calif., Oct. 03, 2022 (GLOBE NEWSWIRE) --

John Maddison, EVP of Products and CMO at Fortinet
"Fortinet has a long history of working to close the cyber skills gap, and we are proud to share we recently hit a significant milestone by achieving more than 1 million Network Security Expert (NSE) certifications issued to date. Continued learning through training and certifications is a critical way to stay ahead of cyber adversaries who are constantly evolving their attack strategies and methods. This is why Fortinet's Training Institute is dedicated to offering award-winning cyber training and certifications for security professionals to upskill and advance their knowledge or for those considering reskilling. At the same time, for organizations looking to build cyber awareness in their employees and strengthen their security posture, the Fortinet Training Institute offers its Security Awareness and Training service."

News Summary
Fortinetto date, further advancing its commitment to close the cybersecurity skills gap. Adding to this milestone, Fortinet continues to expand the global impact of its training and certification programs with the addition of new courses in priority cybersecurity areas, new training partners, and by expanding access to cyber training to empower untapped talent. Fortinet also continues to help organizations build a cyber-aware workforce through its existing Security Awareness and Training Serviceand through a exact initiativetied to the 2022 White House National Cyber Workforce and Education Summit, by providing a tailored version of the service available for K-12 school districts in the United States free of charge.

Advancing Skill Sets in Cybersecurity Professionals to Keep Up with Threats
With more than 80% of breachesbeing attributed to a lack of cyber skills according to a global 2022 Fortinet report, the cybersecurity skills gap continues to be a top-of-mind concern for organizations. In an effort to help close the cyber skills gap, Fortinet - through its Training Advancement Agendainitiatives - is focused on upskilling security professionals to stay ahead of threats with the following efforts:

• Validating Skills and Experience with NSE Certifications: As part of Fortinet's progress to close the skills gap, the Fortinet Training Institute achieved the milestone of over 1 million NSE certifications (https://training.fortinet.com/local/staticpage/view.php?page=certifications&utm_source=pr&utm_campaign=q2-nse) issued to date. The eight-level training and certification program is designed to provide technical professionals with independent validation of their security and networking skills as well as work experience. Fortinet's 2022 Global Skills Gap report (https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2022-skills-gap-survey.pdf?utm_source=pr&utm_campaign=report-2022-skills-gap-survey) revealed that 95% of leaders believe technology-focused certifications positively impact their role and their team, while 81% of leaders prefer to hire people with certifications. The Fortinet Training Institute (https://www.fortinet.com/nse-training?utm_source=pr&utm_campaign=nse-training) aims to provide professionals the opportunity not only to gain skills to ward off cyber threats, but also career growth opportunities, as leaders value certifications. In addition, the NSE training curriculum is easily accessible to empower access to learning and is offered in instructor-led, virtual instructor-led, and free self-paced training formats.
• Developing Courses in Key Cybersecurity Areas Across all Industries: The Fortinet Training Institute (https://www.fortinet.com/nse-training?utm_source=pr&utm_campaign=nse-training) is continuously updating its training with content that is relevant and dynamic for the issues and challenges cyber professionals face today. For example, the OT Security curriculum, as part of NSE level 7, provides a solid understanding of how to design, implement and operate an OT security solution for critical infrastructures. Other syllabu areas where the Fortinet Training Institute has expanded its curriculum include Zero Trust Network Access (https://www.fortinet.com/resources/cyberglossary/zero-trust-edge?utm_source=pr&utm_campaign=zero-trust-edge) and Secure SD-WAN (https://www.fortinet.com/products/sd-wan.html?utm_source=pr&utm_campaign=sd-wan), among others. Additionally, Fortinet offers low-cost labs to further advance skill sets for anyone taking technical, advanced or expert level training.
• Leveraging Threat Intelligence from FortiGuard Labs in Curriculum: The Fortinet Training Institute curriculum is developed by Fortinet's world-class trainers and curriculum developers with an in-depth knowledge of industry-leading technology and the evolving threat landscape. The training curriculum is augmented with threat intelligence from FortiGuard Labs (https://www.fortinet.com/fortiguard/labs?utm_source=pr&utm_campaign=fortiguardlabs), a global research team comprised of experienced threat hunters, researchers, analysts, engineers, and data scientists. In addition, the curriculum is designed to evolve based on the latest threat intelligence from FortiGuard Labs, ensuring that anyone taking training or pursuing certifications obtains the most relevant skills and knowledge.
• Offering Opportunities for Professionals to Upskill Through Fortinet's Global Authorized Training Centers: Fortinet Authorized Training Centers (https://www.fortinet.com/support/training/learning-center) (ATCs) are a network of accredited training organizations in more than 130 countries and territories around the world, teaching in 26 different languages. ATCs deliver the Fortinet Training Institute's cybersecurity training in local languages. New ATCs that have recently joined the program, extend the availability of Fortinet's training to security professionals around the world, including: Exclusive Networks (USA), Wavelink (Australia), HRP (Hungary), and DACAS (The Caribbean).

Expanding Access to Cyber Training and Empowering Untapped Talent
Fortinet is increasing access to its cybersecurity training so that more people, regardless of their educational background, current career or life experience, can access cyber courses and help kickstart a career in cybersecurity. Fortinet is also empowering untapped talent pools, including women, students, veterans and more, to reskill or expand their skills for a career in cyber, helping to address the industry talent shortage. As part of this focus, Fortinet made a commitmentin September of 2021 to train 1 million people in cybersecurity over 5 years between 2022-2026 and is on track to meet this through various initiatives, including:

• Enhancing organizations' cybersecurity awareness training for all employees with the Security Awareness and Training Service: Any company can easily deploy the Fortinet Training Institute's Security Awareness and Training Service (https://www.fortinet.com/training/security-awareness-training) to further protect their security posture by advancing all their employees' cyber skill sets and knowledge. This service introduced (https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2022/fortinet-launches-new-security-awareness-training-service-cyber-awareness-mitigate-threats) earlier this year is a SaaS-based offering that delivers timely awareness training on today's cybersecurity threats. It helps IT, security, and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks.
• Offering a Free Security Awareness and Training Service for K-12 School Districts in the U.S.: Fortinet announced (https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2022/fortinet-announces-free-training-offering-schools-white-house-cyber-workforce-education-summit) that it has made its Security Awareness and Training Service available to K-12 school districts across the United States free of cost, making the training available to approximately 8 million faculty and staff. Educational institutions have seen an increase in bring your own devices (BYOD) making schools and students more vulnerable to cyber threats due to the expanding attack surface and, thus, must ensure they are securing their critical digital assets and sensitive information. With the tailored service, school districts can implement training for staff and faculty to expand their cyber knowledge and skills, so they don't fall victim to popular threat methods as part of the overall school cybersecurity strategies.
• Expanding Academic Partner and Education Outreach Programs Partnerships: With more than 470 Authorized Academic Partners worldwide across more than 90 countries and territories, the Fortinet Training Institute continues to work with education institutions globally to help prepare the cyber workforce of the future. Among the new institutions worldwide that have joined the Academic Partner Program are: Universidad Panamericana (UP) in Mexico,Technological University of Queretaro (UTEQ) in Mexico, KLE Tech University in India, South Regional TAFE in Australia, Università of Tor Vergata of Roma in Italy, Cybersecurity Business School in France, UIB - Universitat de les Illes Balears in Spain, Polytechnic Institute of Guarda in Portugal, University West - Högskolan Väst (https://www.hv.se/en/) in Sweden, South Texas College in the United States and more. As Authorized Academic Partners, these institutions are using Fortinet's award-winning technical training in their classrooms and providing students with valuable industry certifications to add to their resumes upon graduation.

  Similarly, the Education Outreach Program (https://www.fortinet.com/training/education-outreach-program) is expanding Fortinet's reach by partnering with additional organizations that represent traditionally underrepresented groups in the high-tech sector such as women, veterans, economically disadvantaged and more. New outreach partners include Cerco IT and National Economic Education Trust (NEET).
  

Supporting Quotes

"The number of skilled cybersecurity professionals is not growing fast enough to fill the nearly 3 million unfilled cybersecurity positions worldwide. To help solve this critical issue, I co-founded the Cybersecurity Business School in France, which is delivering two programs: a Bachelor of Cybersecurity Specialist and a Master of Cybersecurity Manager. A key part of our program is the Fortinet Training Institute's Network Security Expert (NSE) training and certifications developed by industry experts, which we are leveraging to incorporate real-world teachings about critical security areas. Implementing Fortinet's training in our classes and Fortinet security devices in our SOC, IT & OT simulation platform is allowing us to provide a robust curriculum to our students and to further develop the cybersecurity workforce of the future."
-Thomas Guilloux, Co-Founder and Technical & Industrial Director at the Cybersecurity Business School in France

"Polytechnic Institute of Guarda (IPG) is excited to partner with Fortinet as part of its Academic Partner Program. In a world amid digital transition, cybersecurity is a big issue today, and its global importance goes beyond impacting only IT teams. Therefore, for the teachers and researchers of the Polytechnic Institute of Guarda, having access to training from an industry-leading company like Fortinet is a very enriching experience. At the same, our students are acquiring know-how and certifications to work in an area with a huge shortage of qualified human resources directly from the current world leader in the area. As a result of this collaboration, Polytechnic Institute of Guarda will have a very relevant impact on the region and across the country in helping address the skills gap by preparing the future workforce. According to a report prepared by Fortinet in 2021, 80% of organizations that suffered cyberattacks attributed it to the lack of skills of their staff in the area of ??cybersecurity. In Portugal, at the Polytechnic Institute of Guarda, the Fortinet Academy is contributing to making the country digitally safer."
- Joaquim Brigas, President at the Polytechnic Institute of Guarda

"Today's organizations need professionals knowledgeable on syllabus related to digital security so that, with the advancement of technology, they know how to mitigate the growing number of threats and vulnerabilities. We have the responsibility to prepare our students in Mexico to take on the task of preventing cyberattacks to protect important information and organizations. Our collaboration with Fortinet is a testament of this commitment. With this agreement, the Universidad Panamericana (UP) further provides high-level training in IT and reiterates its commitment to continue preparing its students for digital transformation in areas related to cybersecurity".
- Juan Carlos García, director of Digital Transformation at the Universidad Panamericana in Mexico

"To grant our candidates (ex-military or otherwise) access to the NSE training curriculum is a huge step forward in creating highly skilled IT professionals and enables us to further address the shortfall in the UK's cybersecurity talent pool. We are thrilled to collaborate with the global leader in network security and are excited to be working with such a strong, internationally recognised training programme focused on closing the cyber skills gap."
- Chris Barlow, MD of Cerco IT

"To address the skills gaps and provide training for skills that are in high demand, NEET has identified a need for training the unemployed youth in Forth Industrial Revolutions (4IR) skills and paying immediate attention to addressing cybersecurity skills gaps, which will be carried out by NEET 4IR Academy. Fortinet, as a global leader in broad, integrated and automated cybersecurity solutions, aligns quite perfectly as a strategic partner to help us achieve our organizational mission and vision in a manner that is both meaningful and impactful to our communities."
- Thomas Sithole, Chairman at National Economic Education Trust (NEET)

Additional Resources

• Read more about Fortinet's NSE certification milestone and why certifications are critical to closing the skills gap in this blog (https://www.fortinet.com/blog/business-and-technology/fortinet-issues-more-than-1-million-nse-certifications-addressing-need-for-cybersecurity-upskilling).
• Learn more about Fortinet's free cybersecurity training (https://www.fortinet.com/training/cybersecurity-professionals?utm_source=blog&utm_medium=blog&utm_campaign=freetraining), which includes broad cyber awareness and product training. As part of the Fortinet Training Advancement Agenda (TAA), the Fortinet Training Institute (https://youtu.be/lOtWOuvdMnc) also provides training and certification through the Network Security Expert (NSE) Certification (https://www.fortinet.com/training-certification?utm_source=pr&utm_medium=pr&utm_campaign=NSE), Academic Partner (https://www.fortinet.com/training/security-academy-program?utm_source=pr&utm_medium=pr&utm_campaign=academy), and Education Outreach (https://www.fortinet.com/training/education-outreach-program?utm_source=pr&utm_medium=pr&utm_campaign=outreach) programs.
• Learn more about FortiGuard Labs (https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_medium=blog&utm_campaign=fglabs) threat intelligence and research and Outbreak Alerts (https://www.fortinet.com/fortiguard/outbreak-alert?utm_source=blog&utm_medium=blog&utm_campaign=outbreak), which provide timely steps to mitigate breaking cybersecurity attacks.
• Learn more about Fortinet's FortiGuard Security Services portfolio (https://www.fortinet.com/solutions/enterprise-midsize-business/security-as-a-service/fortiguard-subscriptions?utm_source=blog&utm_medium=blog&utm_campaign=services).
• Read more about how Fortinet customers (https://www.fortinet.com/customers?utm_source=pr&utm_medium=pr&utm_campaign=customers) are securing their organizations.
• Follow Fortinet on Twitter (https://twitter.com/Fortinet), LinkedIn (https://www.linkedin.com/company/fortinet), Facebook (https://www.facebook.com/fortinet/), and Instagram (https://www.instagram.com/behindthefirewall/). Subscribe to Fortinet on our blog (https://www.fortinet.com/blog?utm_source=blog&utm_medium=blog&utm_campaign=blog) or YouTube (https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA'sub_confirmation=1).

About Fortinet
Fortinet, the Fortinet Blog, and FortiGuard Labs.

FTNT-O

Copyright © 2022 Fortinet, Inc. All rights reserved. The symbols and denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest, FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other trademarks belong to their respective owners. Fortinet has not independently Verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.

A video accompanying this announcement is available at: https://www.globenewswire.com/NewsRoom/AttachmentNg/446402a9-3c18-4c27-bc56-68455d6aa356