Abstract: A security assessment tool can determine computer assets in a network and provide an overall security score for the network. The overall security score can represent an objective measure of the security of the network that considers potential security threats to the computer assets, counter measures deployed in the network to address the potential security threats, and the effectiveness of the counter measures. Based on the overall security assessment, the security assessment tool can provide recommendations for improving the security of the network.

Abstract: A method for handling packets is disclosed. The method can include providing at least one main processor connected to a plurality of offload processors by a memory bus; configuring the offload processors to provide security related services on packets prior to redirection to the main processor; and operating a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus.

Abstract: A method includes recording, during execution of a program and by a computing system, concrete values exhibited at source and sink statements in the program. The source statements read confidential information and the sink statements release the confidential information to an outside environment. The method includes determining, by the computing system, using at least the recorded concrete values and source-sink pairs whether information leakage meeting one or more quantitative criteria occurs by the program. Apparatus and program products are also disclosed.

Abstract: A central authentication and interaction tracking system authenticates an entity making a request related to a financial account. The system facilitates authentication of an entity engaging in an interaction based on a record of interactions initiated by the entity. The system includes an application interface receiving interaction requests over a network, the requests originating from multiple entities and including authentication factors. The system further includes a computer processor and computer memory capable of building, from each interaction request, an entity print record for each of the multiple entities, wherein each entity print record includes the authentication factors. The system further facilitates deriving, from the entity print record, an entity print, comparing received authentication factors for a requested interaction with the entity print, and making an authentication determination based on the comparison.

Abstract: A host based security system for a computer network includes in communication with the network a credential host that is operative in concert with a local computer and a destination site. The destination site has a credential authentication policy under which credentials associated with the local computer upon being authenticated authorizes data to be communicated between each of the destination site and the local computer during a communication session over the network. The credential host stores the credentials to be used by the destination and is operative to transmit the credentials onto the network in response to a request received from the local computer. The destination site upon the credentials being received and authenticated thereat is operative to transmit session information onto the network. The local computer is then operative to commence the communication session upon receipt of said the information.

Abstract: A method of enciphering information includes generating five index values by performing modulo division on a 32-bit binary input value, identifying five 8-bit output patterns based on the five index values, and enciphering or deciphering five bytes of text using the five 8-bit output patterns.

Abstract: A method for using a location-based service while preserving anonymity includes receiving a location associated with a mobile node, receiving an anonymity level associated with the mobile node, computing a region containing the location of the mobile node and a number of footprints based on the anonymity level, wherein each of the footprints from a different user, and providing the region to a location-based service to thereby preserve anonymity of the mobile node. A method also allow a mobile device or its user to specify the anonymity level by selecting a public region consistent with a user's feelings towards desired privacy.

Abstract: A method and apparatus for providing an automated key distribution to enable communication between two networked devices. A monitoring device receives a request from a network device to send a certificate using a second secure connection prior to an expiration of a timeout period, wherein the second secure connection was created using a known port in response to determining that a request to create a first secure connection was rejected. The monitoring device sends the certificate to the network device using the second secure connection, and establishes the first secure connection with the network device in response to the network device receiving the public key of the monitoring device from a server system by using the certificate.

Abstract: This is a system for controlling and restricting access (reading, writing, creating, deleting, manipulating, and control) to data and data representations of arbitrary processing engines through the use of secure containers, an access processing engine, and cryptographic keys.

Abstract: An identity management system is described. The identity management system includes a data store to store a generic template for a user interface (UI) of the identity management system and a dynamic UI toolkit installed at a computing system, the dynamic UI toolkit to create a dynamic identity program template (IPT) from the generic template and customization input. In one example, the identity management system receives a first identifier indicating a first type of identity program; determines a first security level in view of the first identifier, determines a first set of identification elements from a plurality of identification elements in view of the first security level and in view of the first identifier, and generates a first template in view of the first set of identification elements.

Abstract: An approach is provided for determining one or more user inputs for specifying configurable privacy-related data for at least one shared device, wherein the one or more user inputs are associated with one or more users of the at least one shared device. The approach involves processing and/or facilitating a processing of the one or more user inputs to identify at least one potential privacy conflict resulting from the one or more user inputs. The approach also involves causing, at least in part, an initiation of at least one privacy preserving action based, at least in part, on the at least one potential privacy conflict.

Abstract: A method and system for automatically submitting login credentials as a background process for a user of a web service are provided. Login information corresponding to a login form of the web service is stored, where the login information comprises a login endpoint of the web service and the login credentials are used to authenticate the user for a session of the web service. A login token, generated by the web service, and its expiration date are tracked. The login credentials are then automatically submitted, without user intervention, to the web service based on the login endpoint and the expiration date of the login token.

Abstract: Improved clustered storage systems make use of a software toggle switch stored in a shared persistent configuration database, which allows a peer node to be rebooted into a FIPS 140 mode defined by the switch and then to take over as master while the original master node reboots into the new FIPS 140 mode as defined by the switch. Advantageously, system availability is maintained as the nodes are rebooted sequentially while a master is always available. The persistent switch allows for synchronization, while also allowing persistence of state even in the event of a system crash.

Abstract: Securing a network is disclosed. A monitored session between a client and a network resource is provided. It is determined whether the client is attempting an authorized command. If the command is determined to be unauthorized, the command is intercepted. Optionally, remedial action is taken if it is determined that the client is attempting an unauthorized command.

Abstract: A technique to verify firmware. One embodiment of the invention uses a processor's micro-code to verify a system's firmware, such that the firmware can be included in a trusted chain of code along with the operating system.

Abstract: Methods, apparatus and articles of manufacture for identifying suspicious user logins in enterprise networks are provided herein. A method includes processing log data derived from one or more data sources associated with an enterprise network, wherein the enterprise network comprises multiple hosts; generating a set of profiles, wherein the set comprises a profile corresponding to each of multiple users and a profile corresponding to each of the multiple hosts, wherein each profile comprises one or more login patterns based on historical login information derived from said log data; and analyzing a login instance within the enterprise network against the set of profiles.

Abstract: A method for managing the security of a client device in a mobile device management system (MDMS) comprises receiving a security policy at a client device, applying the security policy on the client device, determining an occurrence of a security policy event, determining a violation based on the occurrence of the security policy event and applying different security controls based on predefined elapsed times on the client device.

Abstract: Methods and systems for Data Leak Prevention (DLP) in a private network are provided. According to one embodiment, a data packet is received by a network security appliance. The data packet is originated by a first networking device within a network protected by the network security appliance and is directed to a second networking device that is outside the network. The data packet is decoded in accordance with an upper layer protocol through which the data packet is being transmitted. A command, request or method of the upper layer protocol that is specified by or represented by the data packet is determined. A field of the command, request or method, which is not designed for carrying a message or a file, is scanned for sensitive or confidential information based on a sensor rule. When the scanning results in a match, then an action associated with the sensor rule is performed.

Abstract: The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or process executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.

Abstract: The present disclosure is directed to a system and method for wirelessly accessing broadband services using intelligent cards. In some implementations, a broadband service card includes a physical interface, a communication module, secure memory, and service module. The physical interface connects to a port of a consumer host device. The communication module wirelessly receives RF signals from and transmits RF signals to a wireless broadband network. The secure memory stores user credentials used to securely authenticate the card and access a service foreign to the consumer host device through the wireless broadband network independent of the consumer host device. The user credentials are associated with a broadband service provider. The service module accesses the foreign service using the user credentials in response to at least an event and transmits a service request to the broadband service provider using the wireless broadband core network.