Services

When a security incident hits hard cyber-criminals seems to overcome all the boundaries and controls we carefully designed. During these hours, the darkest hours, everything is blurred and there is no clear path on How to resolve the situation. The only questions in mind are “How to get rid of the attackers, now” and “How to get back to regular operations”. Yoroi designed a set of services to help companies to manage these contingencies, providing technologies, skills and knowledge to put in place, coordinate and handle the activities needed to raise from the darkest hours. Leveraging the expertise of CERT-Yoroi unit, Yoroi is able to provide on demand response capabilities, privacy related consultancy and analytical skills to make sure the cyber crisis is handled the right way, getting rid of the attackers, minimizing risk of fallouts and easing the relationship with Local and Data Protection Authorities.

CERT - Yoroi is the Yoroi’s Computer Emergency Readiness & Response Team. It’s mission is to defend companies, entities and bodies part of its Constituency, to support them during crisis situations and cyber emergencies, to help protect themselves against National and Intentional cyber-attacks that would hamper the integrity of their infrastructures and harm their business. CERT-Yoroi achieves his mission through awareness raising initiatives supporting the enhancement of the security posture, the maintenance of threat intelligence programs and information about cyber-risks and emerging threats, response coordination, technical and analytical support. This specialized readiness and response unit is also Accredited into the Trusted Introduced TF-CSIRT community, the European CERT community network supported by ENISA. CERT-Yoroi cooperates with Italian institutional CERTs and CSIRTs, sharing and exchanging information to leverage and support the collective efforts against cyber-threats.

Low deployment costs make wireless networks attractive. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network, eavesdrop on, or tamper with, wireless transmissions and access sensible data. Through the Wi-Fi Infrastructure Assessment, Yoroi measures the level of security of wireless communications analysing the response of the systems when faced with various critical situations, from high utilisation levels to passive and active attacks. Yoroi usually analyses:

• service status of devices, operating periods and versions of the hardware and software in use
• infrastructure fragility, software systems and apparatuses experiencing instability, high loads or frequent changes of use
• communication protocols, data confidentiality and integrity exchanged through the medium
• presence of intrusion detection controls, suspicious or unauthorised activities and alteration of signals
• administrative access to the devices and extension of access signal
• configuration errors and credentials weak passwords
• response against unauthorised access point systems (fake AP)

The methods adopted by Yoroi for Wi-Fi infrastructure tests ensure effective measurement of the levels of security of local business networks perimeter. The assessment is carried on in two stages: a first one during which the Wi-Fi security is actively tested by an attacker interacting with the access point, a second one off-line. A technical report, an executive summary and a technical appendix will be delivered at the end of the assessment to document the outcome.

The first step in creating an effective defense is figuring out where the vulnerabilities are in the system. Without this knowledge it is impossible to plan. Yoroi vulnerability assessment service provides an advanced analysis of the client's infrastructure vulnerabilities, assessing both the risks related to the business and the complexity of possible remedial actions, allowing the management to take the right decisions and set up a proper security plan. A vulnerability is the passage for threats to get into the system and manifest themselves. The main purpose of a vulnerability assessment is to identify, quantify and evaluate priorities and impacts of vulnerabilities within the client's assets. The main vulnerabilities detected during the assessment are: wrong configurations, outdated systems, default configurations. Yoroi assessment is carried on by both automated tools and our analysts. There are three different levels of service offered: not invasive, invasive and invasive plus attack. The not invasive option is based on external information gathering, which is usually the first stage of a cyber attack. The invasive option adopts a more in depth analysis, interrogating the assessed machines through ICMP, TCP or UDP. The next level is to add to the invasive approach an attack simulation in order to obtain reserved information and access to the system. At the end of the vulnerability assessment, Yoroi's team delivers an important tool for any organisation: a report listing identified vulnerabilities, priorities and risks.

As attackers increasingly use more sophisticated techniques to gain a foothold within a company, there is a heightened need for businesses to evaluate and improve their defensive measures. Effective targeted attack simulations requires not only a strong testing capability, but also a good understanding of attacker tradecraft. The targeted attack simulations performed by Yoroi include an in-depth study of the goals considered critical by the client, in order to create attack tools and bespoke malware to test security systems and security policies in use at the limit of their capabilities. The purpose of the simulation is to highlight normally hidden weaknesses to common broad range threats and provide as much information, guidance and support to mitigate risk and the identified attack vectors in order to achieve the best security posture for the entire organisation. A targeted attack simulation performed by Yoroi provides clear guidance on the effectiveness of the policies in place, staff training and adopted defence tools.

Companies today are under constant attack from criminal hackers and other malicious threats. As their networks have become more secure, attackers have turned their attention to the application layer, which now contains the majority of all vulnerabilities. To increase protection, security managers must perform detailed source code analysis when developing or buying software. Yoroi offers a revision of the code activity that pays particular attention to intrinsic vulnerabilities. In accordance with ISO/IEC 9126 standards, we analyse the quality of the developed software by identifying and evaluating the so-called 'bad smells' (rigidity, fragility, stillness, viscosity and opacity) and then look at the code security analysing absence of checks, use of vulnerable libraries, arrays of incorrect authentication, XSS, buffer overflows, broken authentication, session management, insecure object references, misconfiguration, sensitive data exposure and CSRF.

Security Iinformation and Event Management (SIEM) is an approach to security management that seeks to provide an holistic view of an organisation’s information technology (IT) security. The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary. SIEM combines SIM (Security Information Management) and SEM (Security Event Management) functions into one security management system. Yoroi offers a configuration and management service of a SIEM system based on Splunk. Splunk stores all the logs and provides very fast search capabilities roughly in the same way Google does for the internet. Our analysts write then the correlation searches using SPL (Search Processing Language) to make the most of the data collected with Splunk. The correlated data are then collected and shown as dashboards.

Due to the growing complexity and diversity of information systems, the possibility of security weaknesses is increasing and getting harder to detect. The security of the entire IT infrastructure depends on the weakest link, that alone can adversely affect many security measures in place. The test carried on the client's infrastructure is a service designed to check the effectiveness of the security in place. The process consists of three main stages: anti-malware and anti-phishing testing, firewall perimeter testing and auditing. The service is performed by highly-skilled security experts. Our team always methodically outlines and presents to our clients the 'status quo' and a series of specific, actionable steps they recommend to improve the company overall security posture. The outcome of the Security Infrastructure Assessment is a document reporting both results and advice for improvement and future possibile implementations.

The high profile data breaches and Internet of Things attacks have put companies under extraordinary pressure to ensure that their systems are secure and their data protected. Before purchasing specific security products, Yoroi suggests to assess weak spots and gaps in the client's security by carrying on a penetration test, because technically assessing systems and networks gives insight into what businesses actually need to best protect themselves. Our team of testers works closely with our clients to formulate penetration testing based on their organisations' unique security goals. Once penetration testing and analysis have been completed, our clients receive a detailed report on findings, that includes actionable recommendations for addressing vulnerabilities.

Servers and endpoints, business-critical systems, security appliances generate daily extensive event logs that have to be centralised and carefully monitored and managed. Logs centralisation allows constant corporate assets access, errors and malfunctions monitoring. Yoroi collects, analyses and archives EventLog from Windows and syslog host from Unix/Linux hosts, routers, switches, AS/400 logs, application and services logs such as IIS, FTP, IIS, MS SQL, Oracle, DHCP, DNS servers, Apache, AdHoop and VMWare. Yoroi offers a cloud solution through the generation of a Virtual Private Server (VPS) specific to each client, allowing them to offload management and maintenance while retaining full access to the appliances.

Being able to detect and block an attack is not always enough. In some circumstances, such as multiple attacks coming from the same geographic region, attacks carried on by the same vector, attacks on specific targets or compromising determined assets, more information on the attacker is much needed. The kickback attack service aims to get more information on the attacker using counter-cyber espionage techniques and the Yoroi Red Team specialised in counter and reverse attacking.