A system and method of deployment of malware detection traps by at least one processor may include performing a first interrogation of a first Network Asset (NA) of a specific NA family; determining, based on the interrogation, a value of one or more first NA property data elements of the first NA; obtaining one or more second NA property data elements corresponding to the specific NA family; integrating the one or more first NA property data elements and the one or more second NA property data elements to generate a template data element, corresponding to the specific NA family; producing, from the template data element, a malware detection trap module; and deploying, on one or more computing devices of a computer network, one or more instantiations of the malware detection trap module as decoys of the first NA.

Systems and methods for identifying potentially compromised devices using attributes of a known compromised device may be provided. In one embodiment, an attribute set can be constructed for the compromised hosts using data from these logs. Weights can be assigned to each attribute in the attribute set initially, and further weights can be learned using audits by a user. This attribute set can be used in the disclosed systems and methods for identifying hosts that are similar to compromised hosts. The similar items can be used as hosts for deception mechanisms, can be taken off the network as being likely compromised or likely to become compromised, or quarantined.

An electronic system includes: a control unit configured to operate on a user interface; and the user interface, coupled to the control unit, configure to: present an application coupled to an access configuration to customize a permission level for a service type, and receive an input for changing the permission level of the service type for accessing a resource type for customizing an operation of the application on a device.

Protection of POS terminals is enabled by multi-pronged security apparatus that includes: initializing the POS terminal and storing a profile of the terminal, and thereafter monitoring for any change in the POS terminal environment; inserting a bait into the memory (e.g., RAM) of the POS terminal, and monitoring the bait, such that when it is detected that the bait has been read, an indication of potential intrusion is issued; and providing communication channel between a monitoring center and plurality of POS systems, so that whenever an indication of potential intrusion is issued by a terminal, it is sent to the monitoring center and the monitoring center alerts the administrators of the participating POS systems, and the affiliated merchants about identified attacks to enable a response or removal of compromised terminals from service, including but not limited to temporary payment transactions blocking.

A compliance monitor measures metrics regarding one or more managed devices in a network. The compliance monitor generates a log based on the information detected by the measurement trackers and to transmit a report based on the generated log to a recipient. The compliance monitor also initiates one or more security actions based on the one or more measurement trackers indicating that a measured metric exceeds an associated threshold measurement value.

A protection method and device for application data are provided. The method includes: acquiring a data request sent by a monitored application, wherein the data request is used for requesting data in a first data source in which data needing protection is stored (S302); and redirecting the data request from the first data source to a second data source, wherein the second data source is used to store false data of the data needing protection (S304).

A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process.

A management system detects a change at the target device. The management system transmits a request message to authorization devices of the authorization users of the multi-user authorization pool to from the authorization users an indication of whether the detected change is approved. The management system receives a plurality of response messages from authorization devices of the multi-user authorization pool indicating whether the detected change is approved by the corresponding authorization user, and based on at least three of the plurality of response messages indicating a disapproval, that the detected change is disapproved. In response to the determination that the change is disapproved, an instruction message is sent to a target managed device to instruct the target managed device to rollback to an earlier state.

Potentially malicious uniform resource locators and websites are safely and effectively investigated through live forensic browsing. Live data from an isolated browser feeds a security information and event management (SIEM) tool and other forensic tools during a browsing session, allowing investigators to direct the browsing in response to analysis results. Session data may be translated for SIEM ingestion. Browsing sessions may be manually or automatically customized to obscure their forensic nature, by routing selection, by bandwidth or latency adjustment, or by spoofing externally detectable characteristics such as geolocation, user agent, time zone, and language. Forensic activity by an investigator may also be obscured from discovery by an attacker as a result of spoofing the browser's context, such as plugin status and host machine physical characteristics. Human presence tests relied on by attackers may be satisfied without sacrificing a targeted system's cybersecurity or an investigator's access to forensic tools.

Computerized methods and systems mitigate the effect of a ransomware attack on an endpoint by detecting access events associated with requests by processes, including ransomware processes, to access data items on the endpoint. The data items are hidden from the operating system processes executed on the endpoint. In response to detecting an access event, an action is taken against the process associated with the access event.