At the Open Group meeting in Austin a couple of weeks ago, I attended the workshops on IT risk assessment. Pretty dull, eh? In fact, this topic produced some of the liveliest debate I’ve ever had at a conference.

Unless you specialize in this area, you may think that risk assessment is pretty well sewn-up. You couldn’t be more wrong. Get 50 practitioners in a room and you will have 50 different methodologies for assessing IT risk. The trouble is that nearly all of them will be subjective – the outcome of any risk assessment exercise is most likely to be ‘high’, medium’ or ‘low’. Even when it’s an apparently objective number -- 54,821, for example – you don’t learn all that much. Try going to your board and telling them that their IT risk is 54,821 and their eyes are likely to glaze over very quickly! Any attempt to calculate ‘annual loss expectancy’, although valiant, only results in trouble when the degree of variability is larger than the sum itself!

So we urgently...

Is the public sector bothered about IT risk? Although it’s a hot topic, as we saw at RSA in February, surely the public sector is more worried about saving money and meeting government targets? Well, yes – but one of the best ways of doing this is to ensure your IT systems operate efficiently and can deliver the services the public want, when they want them, not just when your offices are open. Shared services save money too – but mean sharing the security pain as well as the productivity gain. All this means more IT risk.

Symantec recently released the latest in-depth study taken from its IT Risk Management Report. This is a mini-report on findings from the public sector. The report looks at how IT professionals in the public sector view sources of IT risk and the effectiveness of the controls used to manage it. The report is based on feedback from 77 IT professionals in...

Firewalls, intrusion detection and prevention systems, antivirus – they’re all old tricks of the trade that IT has traditionally deployed to maintain the security of large and complex networks.

But are they enough? Threat volume is rising, propagation speed is increasing, and attacks are becoming more advanced and elusive. Luckily, there are innovative new ways to complement the traditional approach. And security’s bright side may be on the ‘dark’ side.

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. A darknet is an area of routed IP address space in which no active services reside.

IT is increasingly using this ‘dark’ network as a powerful security tool. Because no legitimate packets should be sent to or from a darknet, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code...

The amount of new malware in the wild is growing quickly. While this is not a new observation, I have seen some claims that behavioral detection may be the answer to this ever-increasing amount of malware. Unlike more traditional types of detection that look at static attributes inherent in a piece of software, such as unique data, code, etc., behavioral detection involves running a possible threat, tracking its behavior with various monitors, and then using the information gathered to determine if it is malicious. As more behavioral detection products emerge, one article asked “Is Desktop Antivirus Dead?” [1]. Hardly, but it is worth a look at why the question even comes up.

Behavioral detection holds out the promise of more zero-day detections, and it reduces the number of updates you need to make to your antivirus software. Note that you cannot safely eliminate updates, since the definition of malicious behavior changes over time. The history of malware, from viruses and...