The method for securing data on a personal computer having security sensitive content grouped into security levels, each with a clearance code, includes filtering and extracting sensitive content by security level and separately storing the security content in remote extract stores. Remainder data is stored locally or remotely. A map for selected extract stores may be generated. The filter and/or map may be destroyed or stored. The data input, extracted data and remainder data may be deleted fro...

A method of determining an organization's network identity capability. The organization's relationships with its employees, customers and business partners, and the organization's technological infrastructure, are examined. By examining the organization's use of identity data (e.g., data identifying customers, employees), the organization's management of that data, and the technology infrastructure can be redesigned to enable better network identity capability. Improved network identity capabili...

A quantitative model combines a one-dimensional risk-assessment approach with expert knowledge to enable calculation of a probability or likelihood of exploitation of a threat to an information system asset without referring to actuarial information. A numerical value is established for one or more threats of attack on the information system asset based on expert knowledge without reference to actuarial data, and likewise, based on expert knowledge without reference to actuarial data, a numerica...

On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions tabl...

There is disclosed a network unauthorized access preventing system in which in a network to which one or more information processing apparatuses and a network unauthorized access preventing apparatus are connected, an unauthorized apparatus which is not authorized to access the network is prevented from accessing the network. The system includes an information processing apparatus which sends a correct ARP response packet to the unauthorized apparatus in response to an ARP request broadcast from...

A method makes use of the fact that call modules, such as APIS, making calls to a critical operating system (OS) function are typically called by a call instruction while, in contrast, a RLIBC attack typically uses call modules that are jumped to, returned to, or invoked by some means other than a call instruction. The method includes stalling a call to critical OS function and checking to ensure that the call module making the call to the critical OS function was called by a call instruction. I...

Security against replay of a message by generating a list of unique message enabling codes (TATs) in a first device and storing the list in a second device. A message generated in the first device, which includes at least one of the unique message enabling codes from the list, is transmitted to the second device. The unique message enabling code of the received message is compared with the list stored in the second device to determine whether or not to enable processing of the message by the sec...

Systems, methodologies, media, and other embodiments associated with securing ports are described. One exemplary system embodiment includes a configuration logic configured to provide a security option for securing one or more selected ports. The example system may also include a security logic configured to, in response to the security option being selected, cause a data store to be modified by changing a port count to specify a fewer number of physical ports to cause an operating system to not...

The presence of an installation on a data processing system may be detected by providing a signature that includes m files having paths associated therewith, respectively. A number n files on the data processing system are determined that match files in the signature and a files found ratio given by n/m is determined. A transformation is applied to the signature by replacing at least a portion of at least one of the paths with a new path. Then, a distance is determined between the n files on the...

A worm detection module (WDM) (212) stops worms and other malicious software from spreading among computer systems (100) on a network (210) via open drive shares. The WDM (212) monitors (310) a storage device (108) for activity (314, 316) directed to executable files by remote processes. The WDM (212) flags (318) files (216) that are the target of such activity. If a flagged file (216) attempts to create an executable file (218) on a networked computer system (100B), the WDM (212) detects (322) ...