Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

Systems and methods for providing controlled access to a system by a user device include receiving, from a user device, a request including a current context. The method includes receiving a request for access to a computing resource, the request including a current context, the current context defining a user space and a resource space. The user device evaluates the current context against a security policy. The user device determines that the user device is permitted to access the computing resource based on the request in response to the evaluating the current context against the security policy. In response to determining that the user device is permitted to access the computing resource, accessing the computing resource as requested.

Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

A password evaluation engine used to evaluate a user's password that redefines the concepts of password complexity and password strength is discussed. Password complexity may be calculated by the evaluation engine so as to take into account the amount of knowledge possessed by a potential attacker, seeking to crack the password, of the rules corresponding to a rule set used for generating the password. A determination of password strength by the evaluation engine may consider a potential attacker's computational resources, the protection function used to protect/store a password and the amount of time available to the attacker to crack the password with respect to an identified search space based on the attacker's knowledge. Embodiments also enable a password strength estimator to be evaluated and policy recommendations to be generated for an entity's password policy requirements.

A password evaluation engine used to evaluate a user's password that redefines the concepts of password complexity and password strength is discussed. Password complexity may be calculated by the evaluation engine so as to take into account the amount of knowledge possessed by a potential attacker, seeking to crack the password, of the rules corresponding to a rule set used for generating the password. A determination of password strength by the evaluation engine may consider a potential attacker's computational resources, the protection function used to protect/store a password and the amount of time available to the attacker to crack the password with respect to an identified search space based on the attacker's knowledge. Embodiments also enable a password strength estimator to be evaluated and policy recommendations to be generated for an entity's password policy requirements.

As may be implemented in accordance with one or more embodiments, and apparatus and/or method may involve a first circuit that initiates secure operations by interfacing with a user and providing operation trigger data that is signed cryptographically and secured from alteration, based on the interfacing. A second circuit, including a secure element, stores data secured from access by the first circuit, and executes secure operations separately from operations executed by the first circuit based on one or more commands provided by the first circuit. Validation circuitry validates and controls accesses to the second circuit by verifying a characteristic of the operation trigger data by executing stored validation instructions with the operation trigger data, and communicating information to the second circuit based on the verifying. The second circuit is responsive to the communicated information by initiating execution of the secure operations.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

A method according to one embodiment includes monitoring, by an access control device, for changes to a first access control database stored on the access control device, wherein the first access control database is associated with a first security ecosystem having a first set of security protocols; automatically updating a mediation database stored on the access control device to identify a change to the first access control database in response to a determination that the change occurred; and automatically updating a second access control database stored on the access control device based on the change identified in the mediation database and in response to the automatic update of the mediation database, wherein the second access control database is associated with a second security ecosystem different from the first security ecosystem and having a second set of security protocols different from the first set.

An information processing system grants an access right to data to a registered user, and includes a receiving unit and a granting unit. The receiving unit receives information on an unregistered user who is to be granted with an access right to specific data. The granting unit grants the access right to the specific data to the unregistered user after the unregistered user has been registered.

Methods and systems for understanding identity and organizational access to applications within an enterprise environment are provided. Exemplary methods include collecting data about relationships between applications and metadata associated with the applications in a computing environment of an enterprise, the metadata including information concerning a plurality of users accessing the applications; updating a graph database including nodes representing the applications of the computing environment of the enterprise and edges representing relationships between the applications; enriching the graph database by associating the nodes with metadata associated with the applications and associating user accounts with metadata associated with roles, organizations membership, privileges, and permissions; analyzing the graph database to identify a subset of nodes being accessed by a user of the plurality of users; and displaying, via a graphical user interface, a graphical representation of the subset of nodes and relationships between the nodes in the subset of the nodes.