Home Up

Security audits
Security audits Networking & Security

 

Trayo SARL offers a variety of services to harden and enhance the infrastructure and the security of the information system. We will focus below on the security services that we offer to small, medium and large companies. These services include:

You can also check the typical profile of our consultant.

Penetration testing and vulnerability scanning:

We offer external and internal penetration testing and vulnerability scanning on the computers, servers, routers, firewalls and any other networking equipment.

The list of testing includes but is not limited to: 

  •  AIX local security checks
  •  Backdoors
  •  CGI abuse
  •  Cisco vulnerabilities
  •  Databases vulnerabilities
  •  Default Unix accounts
  •  Denial of service
  •  FTP vulnerabilities
  •  Fedora local security checks
  •  Finger abuses
  •  Firewalls vulnerabilities
  •  Gain a shell remotely
  •  Gain root remotely
  •  HP-UX local security checks
  •  MACOS local security checks
  •  Mandrake local security checks
  •  NIS vulnerabilities
  •  Peer-to-peer file sharing
  •  Port scanning
  •  RPC vulnerabilities
  •  RedHat vulnerabilities
  •  SMTP problems
  •  SNMP problems
  •  Solaries local security checks
  •  SuSe local security checks
  •  Ubuntu local security checks
  •  Web servers vulnerabilities
  •  Windows vulnerabilities

 A full report presenting the tests performed and the results obtained will be submitted to your organization including general recommendations, suggested corrections and modifications. The report also includes a general overview of the security infrastructure and recommendations regarding this infrastructure.

Back to top

 Deeper Scanning:

We also offer deeper scanning of the computers and servers running Microsoft operating systems. The deeper scanning includes the following checks:

  •  Checking for windows administrative vulnerabilities
  •  Checking for weak passwords
  •  Checking for IIS administrative vulnerabilities
  •  Checking for SQL administrative vulnerabilities
  •  Checking for security updates

Back to top

 Security Policies:

Trayo SARL can help your organization in setting up security policies. We will work with you to write and validate security policies to be applied within your organization. We can suggest to your organization, the below list of policies:

  •  Acceptable Use Policy

It defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.

  •  E-mail Policy

It defines standards to prevent tarnishing the public image of the organization.

  •  Automatically Forwarded Email Policy

It documents the requirement that no email will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.

  •  E-mail Retention

The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long.

  •  Ethics Policy

It defines the means to establish a culture of openness, trust and integrity in business practices.

  •  Information Sensitivity Policy

It defines the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level.

  •  Password Protection Policy

It defines standards for creating, protecting, and changing strong passwords.

  •  Acceptable Encryption Policy

It defines requirements for encryption algorithms used within the organization.

  •  Analog/ISDN Line Policy

It defines standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computers.

  •  Anti-Virus Process

It defines guidelines for effectively reducing the threat of computer viruses on the organization's network.

  •  Application Service Provider Policy

It defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.

  •  Application Service Provider Standards

It highlights the minimum security standards for the ASP. This policy is referenced in the ASP Policy above.

  •  Acquisition Assessment Policy

It defines responsibilities regarding corporate acquisitions, and defines the minimum requirements of an acquisition assessment to be completed by the information security group.

  •  Audit Vulnerability Scanning Policy

It defines the requirements and provides the authority for the information security team to conduct audits and risk assessments to ensure integrity of information/resources, to investigate incidents, to ensure conformance to security policies, or to monitor user/system activity where appropriate. 

  •  Database Credentials Coding Policy

It defines requirements for securely storing and retrieving database usernames and passwords.

  •  Dial-in Access Policy

It defines appropriate dial-in access and its use by authorized personnel.

  •  DMZ Lab Security Policy

It defines standards for all networks and equipment deployed in labs located in the "Demilitarized Zone" or external network segments. 

  •  Extranet Policy

It defines the requirement that third party organizations requiring access to the organization's networks must sign a third-party connection agreement.

  •  Internal Lab Security Policy

It defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.

  •  Internet DMZ Equipment Policy

It defines the standards to be met by all equipment owned and/or operated by the organization that is located outside the organization's Internet firewalls (the demilitarized zone or DMZ).

  •  Lab Anti-Virus Policy

It defines requirements which must be met by all computers connected to the organization's lab networks to ensure effective virus detection and prevention.

  •  Personal Communication Device

It describes Information Security's requirements for Personal Communication Devices and Voicemail.

  •  Remote Access Policy

It defines standards for connecting to the organization's network from any host or network external to the organization.

  •  Remote Access - Mobile Computing and Storage Devices

To establish an authorized method for controlling mobile computing and storage devices that contain or access information resources.

  •  Risk Assessment Policy

It defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.

  •  Router Security Policy

It defines standards for minimal security configuration for routers and switches inside a production network, or used in a production capacity.

  •  Server Security Policy

It defines standards for minimal security configuration for servers inside the organization's production network, or used in a production capacity.

  •  Server Malware Protection Policy

It outlines which server systems are required to have anti-virus and/or anti-spyware applications.

  •  VPN Security Policy

It defines the requirements for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the organization's network.

  •  Wireless Communication Policy

It defines standards for wireless systems used to connect to the organizations networks.

Back to top

 Basic Security Assessment:

This basic assessment is designed to assist your company with identifying and addressing the basic security risks in your computing environment. It covers the following areas:

  •  Business risk profile
  •  Infrastructure:
    •  Perimeter defense
    •  Authentication
    •  Management and monitoring
    •  Workstations
  •  Applications:
    •  Deployment and use
    •  Application design
    •  Data storage and communications
  •  Operations:
    •  Environment
    •  Security policy
    •  Backup and recovery
    •  Patch and update management
  •  People:
    •  Requirements and assessments
    •  Policies and procedures
    •  Training and awareness

The assessment is a series of questions that will lead to a detailed report. The report includes the analysis of the situation but also general recommendations and suggested modifications.

Back to top

Advanced security assessment based on ISO 27001:
 

 This advanced assessment is a new and an exclusive concept by Trayo SARL. It is designed to assist your company with identifying and addressing security risks in your computing environment. It is based on the ISO 27001: Requirements regarding the Information Security Management Systems. The assessment is a series of questions that will lead to a detailed report. The report includes the analysis of the situation but also general recommendations and suggested modifications. It complements the basic security assessment.

It covers the following areas:

  •  Security policy
  •  Organization of information security
  •  Asset management
  •  Human resources security
  •  Physical and environmental security
  •  Communications and operations management
  •  Access control
  •  Information systems acquisition, development and maintenance
  •  Information security incident management
  •  Business continuity management
  •  Compliance with legal requirements and standards

 Benefits of this assessment:

This assessment offers an excellent framework for those developing or enhancing their organization’s security.

It can provide many tangible benefits:

  •  A valuable framework for resolving security issues
  •  Working on the enhancement of client confidence & perception of your organisation
  •  Working on the enhancement of business partners' confidence and the perception of your organization
  •  Working to provide confidence that you have managed risk in your own security implementation
  •  Working to enhance the security awareness within an organization
  •  Assists in the development of best practices
  •  Helping to establish that relevant laws and regulations are being met
  •  Can help leading to cost savings. Even a single information security breach can involve significant costs
  •  Can help to ensure that a commitment to Information Security exists at all levels throughout an organization

Back to top

Awareness programs:

Trayo has elaborated an awareness program for your organization's employees based exclusively on quizzes. This awareness program addresses several aspects of security through questions/answers sessions o let your employees understand the importance of security measures and also the best practices. This program covers several security fields like viruses and worms, spyware, online activities, e-mail and spam.

Back to top

Typical profile of our consultant:

  •  Communication engineer (European diploma) with 15 years of experience
  •  Work experience in France Telecom and SFR/Cegetel, two major European communication companies
  •  Built and maintained the networking and the security infrastructure of a major Lebanese university (References available upon request)
  •  Executed several security projects and several security audits among them a full security audit for the American Community School in Beirut, Lebanon (References available upon request)
  •  Has the ISO 27001, Information Security Management System Lead Auditor (Certified Lead Auditor number 27144-84436 by British Standards Institution - United Kingdom)
  •  Has developed a firewall appliance prototype
  •  Has developed a prototype for a revolutionary intelligent security appliance

Back to top

 

Send mail to trayo@trayo.com with questions or comments about this web site.
Copyright © 2008 Trayo SARL