Abstract: Authentication information at a first portion of encrypted data may be identified. A cryptographic key may be derived based on a combination of an identification of the first portion of the received encrypted data and a master key. Additional authentication information may be generated based on a combination of the derived cryptographic key and another portion of the received encrypted data. The encrypted data may be verified by comparing the authentication information at the first portion of the received encrypted data with the generated additional authentication information. In response to verifying the received encrypted data, a second cryptographic key may be derived based on a combination of an identification of the another portion of the encrypted data and the master key. The other portion of the received encrypted data may be decrypted by using the second cryptographic key.

Abstract: The disclosed computer-implemented method for determining the trustworthiness of files within organizations may include (1) identifying a file on a computing device within multiple computing devices managed by an organization, (2) in response to identifying the file, identifying at least one additional computing device within the multiple computing devices that is potentially associated with the file, (3) distributing at least a portion of the file to a user of the additional computing device with a request to receive an indication of the trustworthiness of the file, and then (4) receiving, from the additional computing device, a response that indicates the trustworthiness of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A cryptographic key may be received or generated at a self-encrypting key management service application where the cryptographic key is received from another application provided on a server associated with the self-encrypting key management service application. The cryptographic key may be stored at a secure enclave corresponding to the self-encrypting key management service application. A request for a performance of a cryptographic operation associated with the cryptographic key may be received from the other application provided on the server. The cryptographic key at the secure enclave corresponding to the self-encrypting key management service application may be retrieved. The cryptographic operation may be performed with the cryptographic key to generate an output that is provided to the other application.

Abstract: Techniques are disclosed for dynamically managing hardening policies in a client computer (e.g., of an enterprise network). A hardening management application monitors activity on the client computer that is associated with a first hardening policy. The monitored activity is evaluated based on one or more metrics. Upon determining that at least one of the metrics is outside of a tolerance specified in the first hardening policy, the client computer is associated with a second hardening policy. The client computer is reconfigured based on the second hardening policy.

Abstract: The disclosed computer-implemented method for locating unrecognized computing devices may include (1) identifying a plurality of cooperating computing devices on a wireless network that are each configured with a device location application, (2) determining a physical location for each cooperating computing device within the plurality of cooperating computing devices, (3) receiving, from the device location application on the plurality of cooperating computing devices, data about packets intercepted by the plurality of cooperating computing devices that are directed to the wireless network by an unrecognized computing device, and (4) locating the unrecognized computing device based on information received from the plurality of cooperating computing devices that identifies both the physical location for each cooperating computing device and signal strengths of the packets intercepted by the plurality of cooperating computing devices.

Abstract: A wireless router configured to detect an intruder. In one embodiment, a method may include monitoring received signal strength in a wireless router and creating a profile of the received signal strength as monitored during a learn mode. The method may also include comparing activity of the received signal strength in the wireless router, during an intruder detection mode, to the profile and issuing a notification, based on the comparing.

Abstract: A method and system for intruder detection is provided. The method includes generating a whitelist of media access control (MAC) addresses of a plurality of wireless devices that are acceptable in a detection zone of a wireless router and detecting, by the wireless router, a further wireless device. The method includes issuing a notification in response to absence, on the whitelist, of a media access control address of the further wireless device, the notification indicating a physical intruder within the detection zone, wherein at least one action of the method is performed by a processor in or coupled to the wireless router.

Abstract: A method, performed by a network device, for communication with Internet of Things (IoT) devices is provided. The method includes receiving a communication relevant to Internet of Things devices, wherein the communication is in accordance with a naming scheme that has conventions for objects, context, data and commands and is agnostic as to a plurality of addressing schemes of the Internet of Things devices. The method includes resolving names in the communication, in accordance with the naming scheme, and sending the communication or a further communication to one or more Internet of Things devices per the resolving.

Abstract: The disclosed computer-implemented method for dynamic access control over shared resources may include (1) detecting an attempt by a user to access a resource via a computing environment, (2) identifying a risk level of the user attempting to access the resource, (3) identifying a sensitivity level of the resource, (4) identifying a risk level of the computing environment through which the user is attempting to access the resource, (5) determining an overall risk level for the attempt to access the resource based at least in part on (A) the risk level of the user, (B) the sensitivity level of the resource, and (C) the risk level of the computing environment, and then (6) determining, based at least in part on the overall risk level, whether to grant the user access to the resource via the computing environment. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for creating security profiles may include (1) identifying, within a computing environment, a new actor as a target for creating a new security behavior profile that defines expected behavior for the new actor, (2) identifying a weighted graph that connects the new actor as a node to other actors, (3) creating, by analyzing the weighted graph, the new security behavior profile based on the new actor's specific position within the weighted graph, (4) detecting a security anomaly by comparing actual behavior of the new actor within the computing environment with the new security behavior profile that defines expected behavior for the new actor, and (5) performing, by a computer security system, a remedial action in response to detecting the security anomaly. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat detection using a software program update profile may include (1) building an update behavioral model that identifies legitimate update behavior for a software application by (a) monitoring client devices for update events associated with the software application and (b) analyzing the update events to identify the legitimate update behavior of the software application, (2) using the update behavioral model to identify suspicious behavior on a computing system by (a) detecting an update instance on the computing system, (b) comparing the update instance with the legitimate update behavior identified in the update behavioral model, and (c) determining, based on the comparison of the update instance with the legitimate update behavior, that the update instance is suspicious, and (3) in response to determining that the update instance is suspicious, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and system for detecting an intruder is provided. The method includes monitoring received signal strength in a wireless router and creating a profile of the received signal strength as monitored during a learn mode. The method includes comparing activity of the received signal strength in the wireless router, during an intruder detection mode, to the profile and issuing a notification, based on the comparing, wherein at least one step of the method is performed by a processor.

Abstract: A method for intruder detection is provided. The method includes determining received signal strength of a first wireless device, while the first wireless device is moved at random within a region and generating a profile of the received signal strength of the first wireless device. The method includes determining received signal strength of a second wireless device and issuing an alert, responsive to received signal strength of the second wireless device meeting the profile. An intruder detection system is also provided.

Abstract: A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for locating unrecognized computing devices may include (1) identifying a plurality of cooperating computing devices on a wireless network that are each configured with a device location application, (2) determining a physical location for each cooperating computing device within the plurality of cooperating computing devices, (3) receiving, from the device location application on the plurality of cooperating computing devices, data about packets intercepted by the plurality of cooperating computing devices that are directed to the wireless network by an unrecognized computing device, and (4) locating the unrecognized computing device based on information received from the plurality of cooperating computing devices that identifies both the physical location for each cooperating computing device and signal strengths of the packets intercepted by the plurality of cooperating computing devices.

Abstract: A method for intruder detection is provided. The method includes monitoring, at a wireless sniffer in a building, received signal strength relative to each of a plurality of wireless access points, wherein a first wireless access point of the plurality of wireless access points is located within the building and a second wireless access point of the plurality of wireless access points is located external to the building. The method includes creating a profile of the received signal strength from each of the plurality of wireless access points, during a learn mode and comparing activity of the received signal strength from each of the plurality of wireless access points to the profile, during an intruder detection mode. The method includes issuing a notification, based on the comparing. An intruder detection system is also provided.

Abstract: The subject matter of this specification can be implemented in, among other things, a method that includes receiving, from a computing device, one or more user inputs that include levels of relevance for multiple facets of multiple applications. Each of the facets represents a different set of behaviors from a plurality of behaviors of the applications. Each one of the applications has an associated value for each of the facets based on the set of behaviors of each of the applications. The method further includes organizing a list of the applications based on the levels of relevance for the facets and the value of each of the facets for each of the applications. The method further includes providing, to the computing device, the list of the applications for presentation on a display device at the computing device.

Abstract: A computer-implemented method for protecting organizations against spear phishing attacks may include (1) searching a plurality of websites for user profiles belonging users who are affiliated with an organization and who have access to at least one privileged computing resource controlled by the organization, (2) retrieving, from the user profiles, personal information describing the users, (3) determining, based on the personal information, that a portion of the user profiles belongs to an individual user with access to the privileged computing resource, (4) identifying at least one phishing attack risk factor in the user profiles that belong to the individual user, and (5) assessing, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for protecting organizations against spear phishing attacks may include (1) searching a plurality of websites for user profiles belonging users who are affiliated with an organization and who have access to at least one privileged computing resource controlled by the organization, (2) retrieving, from the user profiles, personal information describing the users, (3) determining, based on the personal information, that a portion of the user profiles belongs to an individual user with access to the privileged computing resource, (4) identifying at least one phishing attack risk factor in the user profiles that belong to the individual user, and (5) assessing, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource. Various other methods, systems, and computer-readable media are also disclosed.