Abstract: Implementations include a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.

Abstract: In various implementations, a system includes a mobile device and a computing server system. The mobile device executes instructions including generating profiles via the application program, where each profile contains information of an individual, identifying at least one of the profiles to transmit to recipients, obtaining an update to the profiles, and transmitting the update to the recipients. The computing server system transmits a profile template to the mobile device, receives the profiles generated in connection with the profile template, validates data fields of the received profiles generated based on the profile template, stores the received profiles that are validated, receives the update, updates the profiles accordingly, generates an identifier of the profiles, and transmits the identifier and data associated with the profiles to a computing device of the recipients.

Abstract: The present disclosure describes systems and methods for determining a subsequent action of a simulated phishing campaign. A campaign controller identifies a starting action for a simulated phishing campaign directed to a user of a plurality of users. The simulated phishing campaign includes a plurality of actions, one or more of the plurality of actions to be determined during execution of the simulated phishing campaign The campaign controller responsive to the starting action, communicates a simulated phishing communication to one or more devices of a user. The campaign controller determines a subsequent action of the plurality of actions of the simulated phishing campaign based at least on one of a response to the simulated phishing communication received by the campaign controller or a lack of response within a predetermined time period and initiating, responsive to the determination, the subsequent action of the simulated phishing campaign.

Abstract: Techniques for creating, sharing, and using bundles (also referred to as packages) in a multi-tenant database are described herein. A bundle is a schema object with associated hidden schemas. A bundle can be created by a provider user and can be shared with a plurality of consumer users. The bundle can be used to enable code sharing and distribution without losing control while maintaining security protocols.

Abstract: In an approach to improve service routing, embodiments route a service request to an execution environment. Embodiments provide a plurality of execution environments, wherein in each execution environment executable services are deployable, provide a service registry maintaining a plurality of execution environments, and receive, by the service registry, a service routing request. Further, embodiments determine a required trust level for a service relating to the service routing request by using a trained machine-learning system for outputting a trust level class when receiving service context data of the service relating to the service routing request as input, determine, using the service registry, a set of execution environments matching the output trust level class, and select, by the service registry, one execution environment of the determined set of execution environments.

Abstract: Systems and methods are disclosed for identifying resources responsible for events. In one embodiment, a method may include determining a number of unique actors in a plurality of actors that have accessed the resource. The method may further include identifying from the plurality of actors a set of affected actors that has been affected by an event and identifying from the set of affected actors a subset of resource-affected actors that accessed the resource prior to being affected by the event. The method may further include determining a number of resource-affected actors in the subset of resource-affected actors and, based on the number of unique actors and the number of resource-affected actors, determining an event score for the resource. The event score may be a lower bound of a confidence interval of a binomial proportion of the number of resource-affected actors to the number of unique actors.

Abstract: A digital steganography system comprises a message sender in electronic communication with a message receiver through a social media platform. The message sender uses a compute device configured to conceal a secret digital message in the semantic components of a digitally synthesized image which is uploaded onto the social media platform and published in a social media post. As part of the message encoding process, the compute device for the message sender coverts the digital message into binary code, applies encryption and error-correction algorithms, and then implements image synthetization operations to yield the digitally synthesized image. The message receiver is provided with a compute device configured to identify the social media post, automatically download the synthesized image, and apply an inverse set of the image synthetization operations to yield binary code which is subsequently decoded and decrypted in order to extract the original covert message.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: Methods and systems for securely managing personal data associated with image processing include an image sensor configured to capture an image, a local computer system local to the image sensor, and a backend computer system remote from the image sensor. The local computer system has a processor with a trusted execution environment (TEE) that detects anomalies in images from the image sensor, extracts personal data from the image, and encrypts the personal data. The local computer system then sends the extracted, encrypted personal data to the backend computer system, where a backend TEE decrypts the extracted, encrypted personal data, and performs data processing by comparing the decrypted personal data to other personal data that is stored in a backend database in the backend computer system.

Abstract: System and method of creating a multi-party computation (MPC) cryptographic signature for a blockchain based computer network, including: generating at least one first share and second share of a cryptographic key, based on a distributed key generation MPC protocol, signing a received message with the at least one first share, receiving the message signed with the at least one first share, signing the message signed with the at least one first share with the at least one second share, sending the message signed with the at least one second share and the at least one first share to a full node of the computer network, and adding a transaction to a ledger of the computer network, in accordance with the received message signed by the at least one first share and the at least one second share.

Abstract: Provided is a computer implemented method for performing mutual authentication between an online service server and a service user, including: (a) generating, by an authentication server, a server inspection OTP; (b) generating, by an OTP generator, a verification OTP having the same condition as the server inspection OTP and using the same generation key as an OTP generation key and a calculation condition different from a calculation condition is applied or a generation key different from the OTP generation key is used and the same calculation condition as the calculation condition used for generating the server inspection OTP is applied to generate a user OTP; and (c) generating, by the authentication server, a corresponding OTP having the same condition as the user OTP and comparing whether the generated corresponding OTP and the user OTP match each other to authenticate the service user.

Abstract: A system, process, and computer-readable medium for securely transferring user personal identification information (PII) across platforms, based on specific permissions, are described. One or more aspects provide greater control, to a user, of when that user's PII may be released from a secure storage in a first platform and securely provided to a second platform. The timing of those releases of the PII may be controlled by specific authorizations from the user via one or more processes. Also, in addition to improving the security associated with the PII transferred between platforms, one or more aspects improve users' experiences by permitting controlled reuse of users' PII to simplify how users provide their PII to separate processes being performed on separate platforms.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: A security context obtaining method includes: a first access and mobility management function (AMF) receiving a first registration request message sent by a user equipment (UE) and validating integrity protection for the first registration request message; if the first AMF successfully validates integrity protection for the first registration request message, sending, by the first AMF, a second request message to a second AMF; the second AMF receiving the second request message; and if the second request message carries indication information and the indication information is used to indicate that the UE is validated, sending, by the second AMF, a security context of the UE to the first AMF.

Abstract: Computational/communication system security tools are provided. Such tools report at least one multi-dimensional (or multi-component) data-object (based on the monitored events) to an administrator of the system. The multiple components of the data object provide multiple risk indicators (e.g., risk scores) along various dimensions of security for such systems. Thus, tools provide multi-dimensional monitoring and reporting of risks and security threats to computational/communication systems. The tools may also provide at least one risk mitigation action (e.g., quarantining and/or prohibiting particular risky entities, entity groups, and/or entity activities) based on the enhanced monitoring and detection methods presented herein.

Abstract: In various embodiments, an entity may provide a WebView where a transaction between an entity and a data subject may be performed. As described herein, the transaction may involve the collection or processing of personal data associated with the data subject by the entity as part of a processing activity undertaken by the entity that the data subject is consenting to as part of the transaction. Additionally, the entity may provide a native application where the transactions between the entity and a data subject may be performed. In some embodiments, the system may be configured to share consent data between the WebView and the native application so data subjects experience a seamless transition while using either the WebView or the native application, and the data subjects are not required to go through a consent workflow for each of the WebView and the native application.

Abstract: Embodiments for deleting encryption keys in a data storage system by storing a current encryption key in a key table, the current key encrypting at least some data in one or more data containers of a filesystem of the data storage system. A key table maintains a starting container ID and an ending container ID for each container encrypted by the current encryption key, and a deleted container count counting a number of containers of the one or more data containers deleted from the file system. The process determines if the number of containers in the deleted container count equals a number of containers having data encrypted by the encryption key as determined by the starting container ID and ending container ID, and if so, marks the key for deletion in a garbage collection operation, which then deletes the key from the key table.

Abstract: Methods and systems for retrieving information from secondary computing systems using network access tokens are disclosed. The system can provide a user interface that lists a plurality of secondary computing systems to a client application executing at a client device associated with a user profile of the primary computing system. The system can receive, from the client device, a network token identifying a permission for accessing a second profile maintained at the secondary computing system, and retrieve the subset of data records from the secondary computing system according to a retrieval policy. The system can then update the user interface at the client application to present the subset of data records of the second profile.

Abstract: Methods performed by a processor of a computing device for managing functionality of the computing device to interact with field equipment may include determining by the processor a location of field equipment based on information obtained by the processor proximate to the field equipment, determining by the processor a location of the computing device based on geolocation information, determining whether the location of the field equipment based on information obtained by the processor proximate to the field equipment and the location of the computing device based on geolocation information are within a threshold distance, verifying the location of the field equipment in response to determining that the location of the field equipment based on information obtained by the processor proximate to the field equipment and the location of the computing device based on geolocation information are within the threshold distance, and enabling functionality of the computing device to interact with the field equipment i

Abstract: A computing device includes a processor and a machine-readable storage storing instructions. The instructions are executable by the processor to: receive an input string including sensitive data to be encrypted; identify a first portion and a second portion of the input string, the first portion comprising the sensitive data; select, from a plurality of hash functions, a hash function based on the second portion; and generate a hash value of the first portion using the selected hash function.