Abstract: Methods and systems provide for multi-factor authentication (MFA) of a user to a device or network in which a criteria for maintaining the authentication is based on the presence of the user before a device. After the user is authenticated and provided with access, a continuity criteria (i.e., a measure of the presence of the user before the device) must be fulfilled for that access to be maintained. When it is determined that the continuity requirement is not fulfilled, an aspect of the access is denied. A continuity criteria may be based on the location of a second computing device with respect to a first computing device. And multiple methods of determining continuity may be employed simultaneously, with access being denied when continuity is fulfilled by none of the methods.

Abstract: One example method includes performing a filtering process that identifies one or more candidate hosts for scheduling of a pod, wherein the candidacy of a host is determined based in part upon an association rule, generating an overall host score for each of the candidate hosts, and scheduling the pod to one of the candidate hosts based on the overall host score of that candidate host. A host risk score and/or pod risk score may be used in the generating of the overall host score.

Abstract: A computer-implemented method for client-side identity verification may include (1) receiving, via an endpoint computing device, input from a user that includes biometric data of the user captured by a sensor of the endpoint computing device and visual data of a physical identification document that includes a record of the biometric data, (2) verifying, by the endpoint computing device, that the biometric data captured by the sensor of the endpoint computing device matches the record of the biometric data in the physical identification document, and (3) transmitting, to a server, a verification that the user has been identified while preventing the biometric data from being included in the verification sent to the server. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A storage processing unit configured to store, in a storage unit, first data output by a device or any one of multiple devices in association with first context information related to the first data, and a determining unit configured to obtain second context information related to second data in a case where the second data is received from the device or any one of the multiple devices, and determine whether an analysis of the received second data is necessary based on the received second data and the obtained second context information and based on the first data and the first context information stored in the storage unit, are provided.

Abstract: A technological approach can be employed to protect data. Datasets from distinct computing environments of an organization can be scanned to identify data elements subject to protection, such as sensitive data. The identified elements can be automatically protected such as by masking, encryption, or tokenization. Data lineage including relationships amongst data and linkages between computing environments can be determined along with data access patterns to facilitate understanding of data. Further, personas and exceptions can be determined and employed as bases for access recommendations.

Abstract: A method for web access control that comprises the following steps: creating a content item (1) in a content management system; generating a series of unique secure random access tokens (2) and storing them in a database (3); generating a file containing the ATs with their corresponding direct link URLs, when a client device accesses the content using a browser (11), checking with the server if the request's BID is already registered for this AT; if it is already registered, allowing access to the content; if not, checking if a preset limit of allowed registered BIDs for the AT has been reached; if the limit has been reached, denying access to the content; if not, registering the new BID with the AT and allowing access to the content.

Abstract: Novel tools and techniques are provided for implementing fraud or distributed denial of service (“DDoS”) protection for session initiation protocol (“SIP”)-based communication. In various embodiments, a computing system may receive, from a first router, first SIP data indicating a request to initiate a SIP-based media communication session between a calling party at a source address and a called party at a destination address. The computing system may analyze the received first SIP data to determine whether the received first SIP data comprises any abnormalities indicative of potential fraudulent or malicious actions. If so, the computing system may reroute the first SIP data to a security deep packet inspection (“DPI”) engine, which may perform a deep scan of the received first SIP data to identify any known fraudulent or malicious attack vectors contained within the received first SIP data. If so, the security DPI engine may initiate mitigation actions.

Abstract: The method disclosed herein provides for performing user authentication and maintaining user authentication and access to a first device based on the user maintaining control of the first device. The continued control may be based on determining the user's continued possession of the first device, or determining an acceptable proximity of the user to the first device. The proximity of the user may be determined using a second device associated with the user, or sensors associated with the first device.

Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.

Abstract: Disclosed embodiments provide a framework to enable automatic identification and authentication of users to allow for multichannel communications in an authenticated state. In response to an authentication request from an end agent engaged in a communications session with a user, a current authentication state associated with the user is determined. Based on the current authentication state and a set of authentication rules associated with the end agent, a set of authentication challenges are identified and executed by an application implemented on the user's computing device. Data corresponding to completion of these authentication challenges is used to determine a new authentication state, which can be used to update the communications session.

Abstract: A client device accesses content and performs actions at a remote application server via a user-agent application. The application server directs the user-agent application to a security verification system to retrieve and perform security tests. The security verification system receives information from the user-agent application describing characteristics of the user-agent application, and the security verification system selects a set of security tests to be performed by a security module executing in the user-agent application to verify that the user-agent application is accessing the application server consistent with the described user-agent application. The security verification system compares a set of test results with other user-agent applications and provides a token to the user-agent application to access the application server. The security module may also monitor and actions on the user-agent application to permit the security verification system to revise or revoke the token.

Abstract: According to certain aspects of the present disclosure, a computer-implemented method is provided. The method includes receiving, at a mobile device management server from a threat feed server, at least one security statement. The method includes parsing the at least one security statement into parsed information. The method includes creating a custom threat feed of common vulnerabilities and exposures with at least the parsed information. The method includes selectively creating an alert associated with one common vulnerability and exposure of the common vulnerabilities and exposures, wherein the alert comprises a remediation action associated with the one common vulnerability and exposure. The method includes determining at least one managed device, managed by the mobile device management server, and associated with the remediation action of the alert. Systems and machine-readable media are also provided.

Abstract: Disclosed herein is a computer-implemented method for preparation of an electronic document with a plurality of signing users, comprising associating an unsigned, encrypted document with at least a first authenticated user code for a first signing user and a second authenticated user code for a second signing user, sending the document to the signing users, decrypting the document; generating a first electronic signature from the first signing user's authenticated user code and a second electronic signature from the second signing user's authenticated user code, appending signatures to the document, duplicating the document and assigning ownership separately for each signing user, encrypting each signed document, and transferring the signed and encrypted documents to electronic vaults associated with the signing users.

Abstract: The disclosure provides an approach for coordinating a distributed vulnerability network scan. Embodiments include sending, by a computing node, a check-in message to a scanning coordinator, the check-in message indicating attributes of the computing node. Embodiments include receiving, by the computing node, a scan configuration message from the scanning coordinator, the scan configuration message comprising: scan timing information for the computing node; and a list of scanning targets for the computing node. Embodiments include determining, by the computing node, a scanning time window based on the scan timing information for the computing node. Embodiments include scanning, by the computing node, one or more scanning targets in the list of scanning targets for the computing node during the scanning time window.

Abstract: Systems and methods for assessing cybersecurity risk of a computer network include the use of a risk model application that is configured to determine an initial cyber risk score value based upon an underwriting process. A cyber risk data stream is sent from the client's computer network to the system processor to periodically calculate an updated cyber risk score based upon actual data. The system processor is adapted to use the data stream to generate client information that is accessible by the client via a web-based client portal. In embodiments, the cyber risk data stream can be actively monitored to identify a threat of a cybersecurity breach.

Abstract: Systems and methods described herein provide a cyber risk assessment service. A computing device determines weights for techniques of a cyber security framework based on historical industry impact. The computing device associates an enterprise network with an industry identifier, obtains customer risk data for the enterprise network, and normalizes and/or combines the customer risk data to form normalized risk scores. The computing device maps the customer risk data to corresponding techniques in the cyber security framework, generates technique scores based on the mapping and the normalized risk scores, and generates weighted technique scores using some of the weights selected based on the industry identifier. The computing device calculates an overall security score for the enterprise network based on the weighted technique scores, identifies a corrective recommendation for the overall security score, and provides the overall security score and the corrective recommendation for presentation to a user.

Abstract: A blockchain network includes a service sub-network, a consensus sub-network, and a routing layer configured to isolate the service sub-network from the consensus sub-network. A data processing method in the blockchain network includes: receiving a data processing request transmitted by a service node in the service sub-network; performing identity verification on the service node according to the data processing request; obtaining a running load of each consensus node in the consensus sub-network when the verification succeeds; determining, from the consensus sub-network according to the running load, a target consensus node configured to process the data processing request; and forwarding the data processing request to the target consensus node, and performing corresponding data processing on the data processing request by using the target consensus node.

Abstract: Provided is a process, including: obtaining a first password to a private computer network; determining, with a credential-monitoring application within the private computer network, whether the first password satisfies one or more criteria by: comparing the first password to a set of compromised credentials within a database within the private computer network; and determining whether the first password matches one or more passwords within the database; and in response to the determination that the first password satisfies the one or more criteria from among the plurality of criteria, causing a use of the first password to access the private computer network to be rejected and causing a first user associated with the first password to be notified to change the first password.

Abstract: A device may receive, from a user device, a transaction request associated with a first entity and identify a distributed ledger associated with the first entity, the distributed ledger including a set of blocks recording work data associated with the first entity. The set of blocks may include: a first subset of blocks including data specifying work performed by the first entity, and a second subset of blocks including data verifying a portion of the work performed by the first entity and specified by the data included in the first subset of blocks. The device may determine that a transaction, associated with the transaction request, is associated with the first subset of blocks and the second subset of blocks. Based on predetermined instructions that correspond to the transaction and the distributed ledger, the device may perform the transaction.

Abstract: Provided is a system and method for enabling of access to a computer resource by a computer system comprising: providing to a user an interface configured to receive a request for access to a computer resource; determining if the user is permitted to access the computer resource based on a user profile; providing a user verification interface configured to receive user identity verification information; determining if the user identity verification information is valid in response to a reply to the request for user identify verification information; and in response to determining that the user is permitted access to the computer resource and that the user verification information is valid: updating a security policy to reflect that the user is permitted to access the computer resource, and providing access to the computer resource for a limited time duration.