Abstract: Data processing systems and methods, according to various embodiments, are adapted for performing a process of procuring a vendor and sub-processes associated therewith, such as performing vendor risk assessments and providing training specific to the procurement of that particular vendor. Training requirements for the user procuring the vendor and/or for the vendor itself are determined and any deficiencies in current, valid training requirements are identified. Training to address any identified deficiencies is provided as part of the vendor procurement process. Training may be customized based on trainee and/or organization attributes to improve the effectiveness of such training.

Abstract: A centralized data repository system, in various embodiments, is configured to provide a central data-storage repository (e.g., one or more servers, databases, etc.) for the centralized storage of personally identifiable information (PII) and/or personal data for one or more particular data subjects. In particular embodiments, the centralized data repository may enable the system to populate one or more data models (e.g., using one or more suitable techniques described above) substantially on-the-fly (e.g., as the system collects, processes, stores, etc. personal data regarding a particular data subject). In this way, in particular embodiments, the system is configured to maintain a substantially up-to-date data model for a plurality of data subjects (e.g., each particular data subject for whom the system collects, processes, stores, etc. personal data).

Abstract: A variety of methods are provided for an application or operating system (OS) kernel intrusion detection and prevention, based on verification of security invariants and legitimacy of security state transitions from the past historical state. Methods are provided for an application or OS kernel intrusion detection and prevention for unknown attack vectors and vulnerabilities based on additional security checks added to the software by means of live patching.

Abstract: A method for assembling a computing device including initiating a board management controller of the computing device, the board management controller having at least one fuse, forming data to control a video display operatively connected to the computing device to show an image of a watermark, and modifying the computing device. The method also includes blowing the at least one fuse in response to modifying the computing device and adjusting the watermark in response to blowing the at least one fuse.

Abstract: Data transfer in a secure processing environment is provided. A digital assistant can receive audio input detected by a microphone of a computing device. The digital assistant can determine, based on the audio input, to invoke a third-party application associated with the computing device. The digital assistant can generate, responsive to the determination to invoke the third-party application, a packaged data object. The digital assistant can forward, to the third-party application invoked by the digital assistant component to execute in a secure processing environment on the computing device, the packaged data object. The third-party application can transmit, responsive to a digital component request triggered in the third-party application, the packaged data object to a digital component selector to execute a real-time selection process based on the packaged data object.

Abstract: The disclosed technology relates to broadcasting encrypted data to multiple receiver devices, where some receiver devices have long-term access to the encrypted data and some receiver devices have a temporary access to the encrypted data. Receivers having long-term access are part of a “member group” because these member group devices have a master key and the master key enables the member group devices to derive the necessary information to decrypt the encrypted broadcast. In contrast, devices with temporary access possess only a guest key and not master key, without a master key the devices need to receive the guest key from another device to decrypt the broadcast. Access to the encrypted stream can also be based on broadcasting multiple or single diversifiers, where a diversifier can include group identification information to assist in restricting access to the encrypted stream.

Abstract: Embodiments of the present disclosure disclose a method and apparatus for updating a digital certificate. A specific embodiment of the method includes: receiving digital certificate data, the digital certificate data including a number of times of forwarding and a first forwarding moment; determining whether the following conditions are satisfied: the number of times of the forwarding being less than a preset threshold, or a time length between a current moment and the first forwarding moment being less than a preset time length; and increasing, in response to determining at least one of the conditions being satisfied, the number of times of the forwarding by a preset number, and forwarding the digital certificate data to another proxy server.

Abstract: The invention discloses a secure boot method for a terminal device, a terminal device and a medium, relates to the technical field of secure boot, and is used for solving a problem of low system boot security caused by lack of protection for system boot in the related art. The terminal device includes a first processor, a second processor and a shared memory. The method includes: acquiring, by the first processor, an SPL image file; acquiring, by the first processor and the second processor, a third duration and starting timing synchronously; in a case that the third duration expires, transmitting, by the first processor, the SPL image file to the second processor via the shared memory; and booting, by the first processor and/or the second processor, a system of the terminal device cooperatively based on the SPL image file received by the second processor.

Abstract: A communications network security system includes a robustness agent that operates within a communications interface of a device at one or more nodes of the network to analyze and filter messages coming from or going onto the network. At each of the nodes, the robustness agent determines one or more sets of message characteristics associated with each of the messages passing through the agent, and the agent is configured to allow certain types of messages (e.g., messages with certain predetermined sets of characteristics) to be passed through the agent, prevent messages with other predetermined characteristics from being passed through the agent, such as by halting (discarding or filtering) these messages, and/or passes still other messages having other sets of message characteristics to a volume filter to be counted.

Abstract: A method, apparatus, system, and computer program product evaluate an information asset with a corpus of policies in conjunction with the context of access including a specific user. A large corresponding set of rules in the policy corpus are identified by computer system. A continuous process of rule evaluation occurs against information asset metadata wherein a series of processing including set of common subexpressions between the predicates of all active rules, pre-evaluation, compaction and storage are identified by the computer system in the policy and rule corpus. Metadata for the information asset is applied by the computer system to the set of common subexpressions to form partially evaluated rules for the policy. The partially evaluated rules henceforth compacted are stored by the computer system in association with the information asset.

Abstract: A machine compromised by malicious activity is detected by identifying an anomalous port opened on an entity of a network. The anomalous port is detected through collaborative filtering using usage patterns derived from normal network traffic using open ports of entities on the network. The collaborative filtering employs single value decomposition with alternating least squares to generate a recommendation score identifying whether an entity having a newly-opened port is likely to be used for malicious activity.

Abstract: Systems and methods for performing data duplication on data that was previously consolidated (e.g., deduplicated or merged). An example method may comprise: receiving, by a processing device, a request to modify a storage block comprising data encrypted using a location dependent cryptographic input; causing the data of the storage block to be encrypted using a location independent cryptographic input corresponding to a first storage location; copying the data encrypted using the location independent cryptographic input from the first storage location to a second storage location; causing data at the second storage location to be encrypted using a location dependent cryptographic input corresponding to the second storage location; and updating a reference of the storage block from the first storage location to the second storage location.

Abstract: The present disclosure includes apparatuses, methods, and systems for using a local ledger block chain for secure updates. An embodiment includes a memory, and circuitry configured to receive a global block to be added to a local ledger block chain for validating an update for data stored in the memory, where the global block to be added to the local ledger block chain includes a cryptographic hash of a current local block in the local ledger block chain, a cryptographic hash of the data stored in the memory to be updated, where the current local block in the local ledger block chain has a digital signature associated therewith that indicates the global block is from an authorized entity.

Abstract: A memory device comprises a memory array including memory cells, a communication interface to a host device, and a memory control unit operatively coupled to the memory array and the communication interface. The memory control unit is configured to generate a scrambler seed and a logical block address (LBA) for a block of write data received via the communication interface, scramble the block of data using the scrambler seed, encrypt the scrambler seed and the LBA using an encryption key, initiate writing a scrambled block of data and encrypted LBA and scrambler seed to the memory array, and change the encryption key in response to an erase command received via the communication interface.

Abstract: Managing digital asset representation of physical assets upon transfer of ownership of the physical asset and its digital representation, for example a digital twin. Detecting a change-of-ownership event prompts a new owner to cause generation of a new digital agreement based on the original digital agreement subject to any desired modifications. A new digital twin and a new digital agreement are generated. Data may be written to a blockchain.

Abstract: Techniques for performing hash validation are provided. In one technique, a signature request that includes a first hash and a data identifier is received from a client. In response, the data identifier is identified and sent to a data repository, data that is associated with the data identifier is received from the data repository, a second hash is generated based on the data, and a determination is made whether the second hash matches the first hash. If the two hashes match, then the first hash is sent to a cryptographic device that generates a digital signature, which is eventually transmitted to the client. Alternatively, the digital signature is transmitted to the client prior to the first hash being validated. In a related technique, a server receives the signature request and sends the data identifier to a hash validator, which interacts with the data repository and generates the second hash.

Abstract: A system and method to enable a kiosk to aggregate wireless devices and report health information to a mobile consumer device is disclosed. A particular embodiment is implemented for: configuring a kiosk to detect the presence of a mobile device in the proximity of the kiosk; configuring the mobile device to detect the presence of kiosk in the proximity of the mobile device; prompting a user of the mobile device to perform a login operation on the mobile device upon detection of the kiosk in the proximity of the mobile device; verifying the authentication of the user with the mobile device as a result of the login operation on the mobile device; and establishing a wireless data connection between a medical diagnostic device connected with the kiosk and the mobile device to wirelessly transfer the user's health data from the kiosk to the mobile device.

Abstract: In some embodiments, inputs provided to an application are securely stored and processed. In some embodiments, input data is obtained via a user interface of an application accessed on a network device and the input data is stored in a physical memory area of temporary storage of the network device. The physical memory area of the temporary storage is configured to be designated for securely storing data processed by the application and to remain designated for securely storing data processed by the application when the network device is rebooted. The physical memory area is inaccessible to other applications. The input data is processed via the physical memory area of the temporary storage in accordance with instructions of the application, and, in response to a reboot of the network device, the designation of the physical memory area of the temporary storage to securely store data processed by the application is reapplied.

Abstract: A facility for accessing information relating to a person is described. In a reader device, the facility accesses first credentials stored in a first storage device, second credentials stored in a second storage device, and third credentials stored in the reader device. In the reader device, the facility uses a combination of the first credentials, second credentials, and third credentials to decrypt information relating to the person stored in the first storage device.

Abstract: An HSM cluster includes a set of hardware security modules that maintain a set of cryptographic keys that are synchronized across the HSM cluster. Individual applications running on client computer systems access the HSM cluster using HSM cluster clients running on the client computer systems. The HSMs are accessed via a set of HSM cluster servers that monitor the synchronization of the cryptographic keys. Synchronization of the HSMs is maintained by the HSM cluster clients. The HSM cluster clients replicate key-addition and key-deletion operations across the HSM cluster. When a new key is created by a particular HSM, a prefix associated with the particular HSM is added to the identifier associated with the new key to avoid key-namespace collisions. If the set of cryptographic keys becomes unsynchronized across the HSM cluster, applications may continue read-only cryptographic operations while the HSM cluster is resynchronized by the HSM cluster clients.