Abstract: A device access control system includes a computing system having a device access controller subsystem coupled to devices and a central processing subsystem. A device access control manager subsystem is coupled to the device access controller subsystem and operates, during initialization operations for the computing system, to identify application(s) that are configured to be provided by the central processing subsystem, and identify a first subset of the devices that satisfy application provisioning requirements for the application(s).

Abstract: Methods and systems for preventing malicious use of endpoint devices are described herein. A computing device may receive data indicative of usage of the computing device by a user. The computing device may compare the received data with other data (indicative of how an authorized user for the computing device uses the computing device) stored on the computing device to identify instances of abnormal usage of the computing device. The computing device may detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. The computing device may prevent access to a computing environment with use of the computing device in response to detection of unauthorized use.

Abstract: A computer-implemented method for identifying possible leakage paths of sensitive information may include (i) discovering an original set of users having permission to read the sensitive information at an originating storage device in an originating location via an original set of information transfer paths and (ii) performing a security action. The security action may include (A) determining an additional set of information transfer paths having information transfer paths other than the information transfer paths already discovered, via which the original set of users can write the sensitive information and (B) identifying an additional set of users having permission to read the sensitive information via the additional set of information transfer paths.

Abstract: The system is used by both Producer and Consumer of digital evidence, which use the system to provide a secure and irrefutable record of a transaction involving the use of the digital evidence to produce new protected digital evidentiary content, e.g. transcription, according to a set of rules and limitations on the use of the digital evidence over a specific period of time which expires after a certain time. The newly create evidentiary content along with security and metadata are evaluated, and results used to confirm that the evidence has been maintained according to the terms and conditions.

Abstract: In one example, a server obtains a plurality of code modules configured to identify issues in one or more network devices of a target network. Based on the plurality of code modules, the server generates a fingerprinting process configured to produce a fingerprint that includes a plurality of key-value pairs. Each key of the plurality of key-value pairs is a unique key that corresponds to select data associated with raw data obtained from the one or more network devices. Each value of the plurality of key-value pairs represents information regarding the select data. Based further on the plurality of code modules, the server generates an analysis model that is uniquely compatible with the fingerprinting process. The analysis model is configured to identify the issues in the one or more network devices based on the key-value pairs.

Abstract: A system for querying a state of aggregate N or creating a projection comprises an interface and a processor. The interface is configured to receive request to query the state of the aggregate N or to create a projection up to a target event and receive a client key. The processor is configured to rehash each event input data of the aggregate N with its corresponding sequence number and a prior event signature to generate a hash value; reencrypt the hash value using the client key to create a check signature; determine whether the check signature is equal to the prior event signature; in response to each check signature being equal to the prior event signature, replay the events of the aggregate N to generate and provide the state of the aggregate N; and in response to a check signature not being equal to the prior event signature, indicate that the aggregate N is not valid.

Abstract: A method includes receiving, at a cloud storage system, a request to access a file from an external application on behalf of a first user account, determining, based on one or more access control lists (ACLs) associated with a shared folder, that the external application is not allowed to access the file on behalf of the first user account, and receiving, from a user device associated with the first user account, a message authorizing the external application to access the file on behalf of the first user account. The method further includes modifying the ACLs associated with the shared folder containing the file and a subfolder, and allowing the external application to access the file on behalf of the first user account based on the user information of the first user account and the application information of the external application in the modified ACLs.

Abstract: A system and method described below prevents exploitation of a client's PKI station using the a token installed on other host (attackers') processors. This is accomplished by binding the token to the approved PKI client station (host) using the a software development kit installed in the PKI client station. Once a token is bound to a PKI client station, the token can no longer be used on another station unless permitted by authorized personnel.

Abstract: The present application discloses a method, system, and computer system for managing data using keys. The method includes receiving a request to access data stored within a tenant database associated with a tenant, wherein the data is encrypted based at least in part on a tenant service encryption key (TSEK) corresponding to the tenant database, determining a wrapper key used in connection with encrypting the TSEK based at least in part on a TSEK metadata stored in association with the TSEK, determining a top-level key used in connection with encrypting the wrapper key based at least in part on wrapper key metadata stored in association with the encrypted version of the wrapper key, obtaining the data stored within the tenant database, comprising decrypting at least part of the data based at least in part on (i) the TSEK, (ii) the wrapper key, and (iii) the top-level key, and providing the data in response to the request. The TSEK metadata is stored in the tenant database.

Abstract: A secure server is configured to host one or more secure applications. A first user device includes a camera operable to capture a first image of a first user of the first user device. The first user device receives a notification that indicates confirmation of authentication of a second user of a second user device is needed after the second user requests access to the secure server. Following receipt of the notification, the first user device captures a first image of the first user. The first image includes at least a portion of a face of the first user. Facial recognition is performed, and results of facial recognition are provided to the second user device where it is used for multi-person authentication.

Abstract: An example operation may include one or more of receiving an event from a node, extracting an identifier from the event, determining whether the event is authorized, and generating a notification of the event when the identifier is authorized, wherein the identifier includes a hashed value of an event counter and wherein the identifier is authorized when the hashed value matches a hashed value of the event counter stored in a storage area of or coupled to the client.

Abstract: A method for attestation of Control Flow Integrity (CFI) of an application running on an end entity whereby an asymmetric key pair is generated by a Key Management Module (KMM) comprising a private key and a public key, then the public key is signed with a device key unique to the end entity thereby generating a public key certificate which attests to the private key being in possession of the end entity. The asymmetric key pair is based on the executing code of the application and the device key. The attestation claims regarding CFI of the application are signed by the private key in a dedicated signature module.

Abstract: Systems and methods for connecting a private device to a public device based on various connection parameters. For example, a media guidance application may receive a communication requesting to use the public device from a private device that is implementing a private interface application (e.g., Netflix™ a streaming media application). In response, the media guidance application may generate an authorization key that is unique to the private device and comprises connection parameters. The media guidance application may transmit the authorization key to the private interface application to initiate a session between the public device and the private device. Whenever a command is received from the private device, the media guidance application may verify the authorization key and determine whether the connection parameters are satisfied. In response to verifying the authorization key and the connection parameters, the public device may execute the received command.

Abstract: A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Abstract: A method of performing out-of-band user authentication includes, by a service electronic device associated with a service a request to initiate a session of the service, generating an authentication token, encrypting the authentication token to generate an encrypted authentication token, and transmitting the encrypted authentication token to the electronic device.

Abstract: A computer-implemented access method is provided. The method comprises the steps of: (i) submitting, to a blockchain (such as the Bitcoin blockchain), an access blockchain transaction addressed to a derived public key derived at least in part from a secret value and a public key; (ii) generating a verification public key based at least in part on the secret value and the public key; (iii) comparing the derived public key and the verification public key; and (iv) based on the comparison of step (iii): (a) allocating the at least one of the derived and verification public key as a further public key for verifying a further derived public key; and (b) granting access to a resource associated with at least one of the secret value and the derived public key.

Abstract: A drilling system includes a surface system comprising a control panel. The drilling system further includes a pressure control equipment configured to be operatively coupled to the control panel, wherein the control panel comprises at least one intrusion prevention system (IPS) enabled device configured to provide for one or more IPS functions.

Abstract: A method of enhancing travel security features associated with a mobile device is provided. The method may include operating a time clock to store a start device confiscation time in a memory and to store an end device confiscation time in the memory, monitoring the mobile device to detect tampering occurring between the start device confiscation time and the end device confiscation time, and in response to the detecting of tampering, prompting the user for a secure identifier. Upon receipt of the secure identifier, the method may include opening a secure i/o pathway to a re-image file. The secure i/o pathway preferably enables execution of an executable re-image file. The re-image file may be used to re-image a software image of the mobile device. The re-image file may contain a pre-tampered image of the mobile device.

Abstract: A terminal device may, in a case where a first type of related information including a public key is obtained due to a first type of communication device outputting the first type of related information, send first connection information to the first type of communication device. The first type of communication device may be capable of executing a wireless communication complying with a predetermined rule of Wi-Fi scheme. The terminal device may, in a case where a second type of related information different from the first type of related information is obtained due to a second type of communication device outputting the second type of related information, send second connection information to the second type of communication device. The second type of communication device may be incapable of executing a wireless communication complying with the predetermined rule.

Abstract: A cybersecurity solution for monitoring and assessing an overall cybersecurity posture level of an operation technology environment to increase the level when it is determined to be below a setpoint value for the operation technology environment. The solution includes, among other things, receiving metrics data for a corresponding one of each of a plurality of cybersecurity posture indices for the operation technology environment, determining a cybersecurity posture index value for each of the plurality of cybersecurity posture indices based on the metrics data, applying a weight to each of the plurality cybersecurity posture index values to calculate a respective weighted cybersecurity posture index value, and determining an overall cybersecurity posture level of the operation technology environment based on a sum of each weighted cybersecurity posture index value.