Essentially, this regulation establishes minimum standards to be met in connection with safeguarding of personal information contained in both paper and electronic records. While similar in nature to other regulations including PCI and GLBA, this regulation goes much further. For startes, here’s the definition of “Personal Information”:

Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

With that, the breakdown on the requirements include:

(1) Develop, implement, and maintain a comprehensive written Information Security Program that contains administrative, technical, and physical safeguards.
(2) The Information Security Program shall include, but not be limited to:

(a) Designating one or more employees to maintain the program
(b) Identifying and foreseeing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks including:

1. ongoing employee training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.

(c) Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
(d) Imposing disciplinary measures for violations of the Information Security Program rules.
(e) Preventing terminated employees from accessing records containing personal information.
(f) Oversee service providers, by:

1. Taking reasonable steps to select and retain 3rd party providers that are capable of maintaining appropriate security measures to protec PII (Personal Identity Information) consistent with these regulations and any applicable federal regulations; and
2. Requiring 3rd party service providers by contract to implement and maintain such security measures for personal information.

(g) Reasonable restrictions upon physical access to records containing PII, and storage of such records and data in locked facilities, storage areas, or containers.
(h) Regular monitoring to ensure that the comprehensive Information Security Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PII; and upgrading safeguards as necessary to limit risks.
(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may implicate the security or integrity of records containing PII.
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of PII.

In addition, every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing PII to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords; which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the seucirty of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal
information;
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

If you would like to read more information about these requirements, please visit http://www.mass.gov/consumer.

This is only the beginning of more state regulations and requirements to come. Other states that have privacy laws include:

• Connecticut - Ct. H.B. 5658.
• Massachusetts - 201 Mass. Code Regs. §§ 17.01 - 17.04.
• Michigan - Mich. Comp. Laws § 445.84.
• New Mexico - N.M. Stat. §§ 57-12B-2 - 57-12B-3.
• New York - N.Y. Gen. Bus. Law § 3990dd(4).
• Texas - Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 - 501.053 (effective April 1, 2009).

The answer from a security perspective was to keep the OS religiously patched, and run bloated up-to-date desktop anti-virus programs.  However, the one thing that is often overlooked in this approach is 3rd party applications.

I, for one, install at least the following applications without fail on every new desktop I build or rebuild:

• Adobe Reader
• Adobe Shockwave
• Adobe Flash Player
• Jave Runtime Environment
• Microsoft Media Player
• Quicktime Player

I’m sure there are many other IT professionals that do the same.  Unfortunately, these often get overlooked when it comes to patching.  There is no simple “Automatic Updates Service” that can be enabled for many of these like there is in MS Windows. 

What many don’t realize is that new vulnerabilities are discovered in these applications just as frequently (if not more so) as there are in Windows.  In many cases, these vulnerabilities can be exploited far easier than many Windows updates.  In addition, many are more dangerous in that they are usually targeted to specific businesses.  Imagine an exploit that a criminal could run by spamming a corporation with a PDF attachment.  This PDF attachment would then execute custom code that could then install backdoor applications for a hacker to use.  Trade secrets or private information?  Not anymore….

Next, there are the inappropriately patched systems.  For example, how many people realize that simply upgrading the Java Runtime Environment does not necessarily close the holes the old version created?  Did you know that you have to actually manually uninstall the old versions of Java?  By default Java’s installer does not do this thereby leaving the exploitable code on your system.

This is why patch management systems are so crucial for companies.  I’m sure when you lock the doors at night, you also close the shipping doors, the windows, and any other points of entry.  Likewise, you should be closing the points of entry into your data infrastructures as well.  If you can’t close them, for one reason or another, you should at least be aware of these points of entry and make efforts to minimize the risk your exposing your business to.

I really do think companies should spend more time in training on PCI.  There is no better training, in my opinion, than that provided by auditors who have actually been in the field conducting audits.  By investing in training, staff and management can get a better understanding of security implications, the audit process, and why the PCI requirements are so important.  As a bonus, doing so will also aid in meeting PCI-DSS requirement 12.6 - “Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.”  This training should be provided to everyone in the company, not just a select few.  I’ve found that companies that take this approach get better cooperation from their employees and have an easier time making it through the audit.

Next, management should get involved regularly in user groups and public forums.  Myself, and many other auditors like me, frequently respond to posts on sites such as the PCI Knowledge Base.  The beauty of these public forums is that others can benefit from similar inquiries.  In addition, we’ve all seen how different auditors have different points of view on various topics.  This unfortunately feeds some of the misinformation.  Public forums, like the PCI Knowledge Base, can help combat that as auditors will discuss their reasonings behind their points of view and challenge one another in hopes of coming to a more unified/educated approach.

I know time is valuable, but spending a few hours now on these suggestions will offer great returns in both the security of your data and offering a more pleasant experience during your audits.

So, what does this mean?  First, we need to understand what WPA/TKIP is.  Essentially, WPA/TKIP is a method of securing wireless networks.  Wifi Protected Access/Temporal Key Integrity Protocol (WPA/TKIP) was created to fix shortcomings of an early form of wireless encryption known as WEP (Wired Equivalent Privacy).   Just as the name applies, WEP was designed to simulate an equivalent form of protection that would be found on any wired network.  As we know, WEP failed miserably, and today such networks can be compromised by anyone with even the most basic understanding of computers with simple applications that are readily available online.   As a result of these weaknesses of WEP, TKIP was created.

Until recently, TKIP has been a viable alternative to WEP.  Then, in November of 2008, Martin Beck and Erik Tews discovered an attack against TKIP.  Essentially, they found an exploitable hole that exploited WPA/TKIP installations that also implemented IEEE802.11e (or Quality of Service) features.  Together, with their fellow students and the aircrack-ng team, they revealed how to send bogus data to an unsuspecting WiFi client on a WPA/TKIP network.   However, since this attack does not reveal the actual key, and since exploits were “minimal” this did not gain much public attention.  Examples of attacks that could be exploited using Beck and Tews’ attack would be ARP poisoning causing confusion in routing traffic and Denial-of-Service attacks that would lock out all clients from a wireless network.

What was overlooked though is the fact that it showed that there are real flaws in TKIP.  And, as is the case in wireless networking and security, it’s only a matter of time before others start expounding upon this research and come up with other ingenious ways of exploitation.  For example, not even a year after this another group of students (Finn Michael Halvorsen and Olav Haugen) from the Norwegian University of Science and Technology Department of Telematics released another cryptanalysis of TKIP.  There thesis and source code for modifications to aircrack-ng’s tools can be found here.  Essentially, they expounded upon Beck and Tews’ earlier study and determined ways of exploiting the network beyond ARP poisoning and DoS attacks.  Examples include:

DHCP DNS Attack:  Basically, in this attack a victim client would accept a packet from the hacker that would allow the attacker to respond to DNS queries with fake DNS replies; thus, forcing an unwitting victim to visit unintended websites or other network locations.  From there, further attacks could be attempted.

NAT Traversal Attack:  In this example, an attacker could inject a fake packet to the client that appears to originate from an external IP address at a specific port.  The victim machine would then respond to this request forcing the route to establish a NAT mapping between the internal computer and external ports and IP addresses.  The external machine will now be able to send traffic directly to the internal victim client on the open port in the firewall.  This could then for instance be used to exploit some unpatched vulnerability at the client or reveal Internet IP address of the network which would be useful in other scenarios as well.

Even still, many did not take this seriously.   The answer many gave to counter the above was to simply disable the QoS features on wireless networks or make other simple “modifications” to their setup to combat and prevent the attacks outlined above.  Well, now Japanese students Toshihiro Ohigashi and Masakatu Morii of Hiroshima University and Kobe University discovered an even more efficient means of attacking TKIP and published their findings here.  The Beck-Tews attack would normally take about 12-15 minutes to exploit and also required QoS to be implemented on the wireless network thereby limiting the scope of attacks and what could be targeted.  These new discoveries, however, allow attackers to exploit all TKIP implementations much faster.

You can easily imagine how the new findings will allow future researchers, academia, and hackers to go beyond the attacks outlined above.  It’s only now a matter of time before further compromises and attacks are discovered that could take even further advantage of networks that have implemented TKIP across their enterprise.  With this knowledge, I hope it is understood that TKIP should not be used further on wireless networks that need to be secured.  There are still technologies such as WPA2/AES that have not been compromised and are readily available on commercial grade wireless access points and equipment.   If you haven’t done so already, make the switch.

For gicks and kiggles, let’s take a look at requirements for PCI-DSS, GLBA, SOX, HIPAA, FACT Act, PIPEDA, and EU Privacy (EU Data Protection and E-Privacy Directives) to just name a few.   These alphabet soups stand for:

PCI (Payment Card Industry Data Security Standards)  - Basically defines a set of rules, procedures, and policies that must be followed for companies across the globe that accept credit cards.

GLBA (Gramm Leach Bliley Act) - Establishes a set of Safeguards and Privacy Rules for financial institutions and those that provide financing options for their clients.

SOX (Sarbanes Oxley) - Contains 11 titles that describe specific mandates and requirements for financial reporting.  Applies to publicly traded companies.

HIPAA (Health Insurance Portability and Accountability Act) - Applies to companies involved in the health care industry and how to handle personal health information data.

FACT Act (Fair and Accurate Credit Transactions Act of 2003) - Basically contains provisions to help reduce identity theft.

PIPEDA (Personal Information Protection and Electronic Documents Act) - Think GLBA for businesses that operate in Canada.

EU Privacy (EU Data Protection and E-Privacy Directives) - Europe is quite a bit different from the US.  In Europe, privacy is a fundamental human right.   The general rule is to not allow the collection of private data unless permitted to by law.

Right off the bat, people think, “Man, that’s a lot of regulatory requirements”.  Especially when you look at companies that operate in many states and countries.  The fact of the matter is, many of the requirements overlap.

I tried to create a list of some of the most common security precautions that should be taken from a  high level perspective across the above alphabet soup.  Admittedly, there are a number of details missing.  I then cross referenced these and tried to find some of the overlap.   Because many regulations are not very explicit there could be arguements made either way as to whether or not a particular step should be implied and taken.  The basic goal of this chart is to illustrate the overlap.  In addition, to point out that as new laws and regulations are enacted, if you look at security holistically, you will find yourself ahead of the game and not only better securing your data but also meeting existing and future requirements.  It’s a large chart, so you may have to click here to see it all.

Security Steps and Associated Regulation

Of course, many probably also have questions about which of the above apply to them.  Again, another basic chart is below.  Again,  it’s a large chart, so you may have to click here to see it all. If you are in doubt, you can always contact me or one of our consultants at Nuspire.

What Regulations Apply to What Companies

So, I urge you to not look at security steps for the purpose of meeting a compliance issue.  If that’s your goal, you are missing the point.  You will also find yourself going through process after process over and over again every time a new regulation or requirement affects you.  This reactive approach to security can get very costly and cause a lot of unnecessary grief.

Perhaps the biggest issue for PCI compliance that I’ve encountered is getting management on board for the process.  In most cases, I have found this easier said than done.  On a regular basis, we provide security consulting to GM dealers across the US via an IDL (Interactive Distance Learning) broadcast that is sent across GM’s satellite network to all their retailers/dealers.  One of the topics discussed, is getting management buy-in.  I thought I would take a few moments to share the tips presented during the IDL via this forum as well for your benefit.

1. For starters, when approaching management about this topic it is best to be prepared.  A worksheet is something that will come in handy to ensure you cover your basis, demonstrate your knowledge, and also show that you “did your homework” on the topic.  The format of this worksheet should be kept simple.  Just lay out the 12 requirements, and from a high level see if you can answer “Comply” or not to each of them.  If you can’t answer them, state that too as it may be an indicator that you need to seek outside help.  If there is any requirement you know is “Not Compliant”, highlight this for future reference.
2. Review your worksheet.  If there is a large percentage of “Not Compliant” or “Unknown” status’, then you now have your first bit of ammo when speaking to management to get your buy-in.
3. You will also need to provide some points to rationalize becoming compliant.
   1. Why is it important that management addresses PCI?  Example answer:  “Compliance is a requirement if our business wants to continue accepting credit cards as a form of payment.  Since our company’s (Acme, Inc.) credit card income amounts to 70% of our revenue, losing this stream would be detrimental to our operations.  In addition, if we fail to comply and maintain our compliance, and are found to be in a breach we will also be subject to fines and penalties.  These fines and penalties will not only come from the payment card brands, but also from the banks, injured parties, law suits, etc…  Not to mention the fact that our company name would be slung through the mud as word is released to the public.”
   2. Why is the recommended solution the best solution?  Example answer:  “As you can see from my worksheet, there are a number of questions and topics that we simply cannot answer.  I think with the level of importance this is, it would be prudent to bring in a consultant to help us address this issue the most effectively.  I would hate to have us spend money in areas that are not needed only to find out there are still gaps in areas that are needed.”
4. You want to make your rationale as persuasive as possible.  Think in terms that the manager would be thinking.  Emphasize points such as cost savings, customer impact, avoidance of fines and penalties, or even spinning it positively as a chance for growth.  For example, why not publicize the fact that you have taken necessary efforts to protect your customer’s credit card information.  Doing so could make customers feel more confident about doing business with you as opposed to somebody else!
5. Also, start by talking to some consultants early on in the process and research.  Obviously, if you’re reading these articles, you’re on your way.  You may be surprised how much of this you can do on your own without having to hire an outside service (especially the documentation and writing of policies pieces).

I hope this helps getting you on your way to getting management buy-in to PCI compliance.  If you are a manager, perhaps some of the examples above will help you see why this is important.  In closing, I wanted to share a great quote I read on a PCI board recently:

“When it comes to PCI, there is no such thing as certified. There’s compliance and validation. Compliance is a state of being. Validation is a check on compliance. They are distinctly separate. There have been validated companies that have been compromised, but there has never been a compliant company compromised. Inaccurate validation abound for sure. It makes sense why compliance is required everywhere along with varying degrees of validation.”

Are you ready? As you may or may not be aware, starting next summer ALL merchants including the smallest will be required to become PCI compliant. With this in mind, many acquiring banks have already started mandating compliance amongst their merchants. Some merchants, however, will be caught off guard unfortunately.

There are a lot of misconceptions, rumors, and falsehoods floating around about what is required for these small merchants in terms of compliance fulfillment. One of the main misconceptions is the belief that, as a small merchant, there is a different set of obligations that must be met. This is false. The core principles and accompanying requirements are the same regardless the size of the merchant. These are:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Some of the example misconceptions I have heard include:

Rumor: As a small merchant, I do not need to secure my cardholder data environments at each location.
Fact: As a small merchant, you must protect your cardholder data per all the requirements in Requirement #3

Rumor: Unless my acquiring bank tells me I have to be compliant, it is not necessary.
Fact: Even if your acquiring bank does not inform you of your obligations under PCI, you are still required to be compliant.

Rumor: As a small merchant, we have a different set of rules for compliance.
Fact: Large or small, all merchants have the same principles and obligations for PCI compliance. The only differences are in reporting requirements back to your acquiring bank.

Once again, I know small merchants will have many questions when it comes to their obligations under PCI. This will be a challenging feat for many of these merchants to meet. I suggest you contact one of our consultants at Nuspire and we can help answer questions you may have. My advice in this area for the small merchants is to start by getting a handle on what you have for IT systems on your network(s). Here are some questions that will get you started on the right track:

1. Do you have an IT Policy? If not, start creating one right away.

2. Do you have a Information Security Policy? If not, start creating one right away.

3. If you have multiple locations do you know what is on these networks? If not, start an inventory and network survey project to see what you have and how it is configured.

4. Is there consistency across your network? You can see how, the survey above will come in handy in determining this.

5. Do you have a budget for possible network changes? Chances are there will be gaps that you will be found during the process that need to be re-mediated.

If you start with the above, and then contact a consultant, you will be ahead of the game. The worse thing you can do is wait until the last minute. Consultants from Nuspire can be reached via telephone at 248-896-6150 or email at info@nuspire.com.

]]> http://blogs.nuspire.com/bkblog/?feed=rss2&p=37 http://blogs.nuspire.com/bkblog/?p=31 http://blogs.nuspire.com/bkblog/?p=31#comments Fri, 10 Apr 2009 23:12:26 +0000 brian.klumpp http://blogs.nuspire.com/bkblog/?p=31 Last weekend I was reading about a bill introduced April 1st in the US Senate co-sponsored by Sen. Jay Rockefeller (D-W.Va.) and Sen. Olympia Snowe (R-Maine).  The article was aptly titled Bill Would Grant President Unprecedented Cyber-security Powers.

I wanted to get a better idea of what was in this bill, so I took the liberty of downloading it and reading it.  There are some pretty startling powers being granted that could affect a large number of businesses, the Internet backbone providers, and our civil liberties.  I would just like to share a few of my findings.

The first question I had was, “Who would this affect?”.  The answer can be found on Page 50, starting at line 22:

FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS - The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes -

(A) Federal Government information systems and networks; and
(B) State, local, and nongovernment information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

In other words, the President has the freedom to choose as he sees fit.  This could include, for example, public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping.  You get the idea.

So, the next question then is, “What information would this government entity have access to?”.  The answer can be found on Page 39, starting at line 24:

(b) FUNCTIONS - The Secretary of Commerce -

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such asses;

Say what?  Yup.  Any and all data regardless of privacy laws or other regulations.  All together now - Big Brother.

But wait, it gets better.  “How will this plan get implemented?”.  The Act calls for the creation of State and Regional Cyber-security Centers that would report to the Secretary of Commerce.  The purpose of these Centers as outlined starting on Page 11, Line 13, is to:

enhance the cybersecurity of small and medium sized businesses in the United States through -

(1) the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to Centers and, through them, to small and medium-sized companies throughout the United States.

The Centers activities will include actively transfering and disseminating solutions to a wide range of companies and enterprises, provide loans on a selective basis for advanced cybersecurity measures, and other purposes that directly compete with private sector enterprises in the cybersecurity industry.  I don’t think many IT companies would appreciate a GsE (Government Sponsored Entity) competing against them.  It’s like Fannie Mae and Freddie Mac all over again.

Don’t get me wrong.  I am fully aware that something needs to be done about the woeful security inadequacies in our nations federal computing networks.  I’m just not sure this is the proper approach.  There are more details that I will share in my next blog that I think you will find interesting as well.  This will include my thoughts on who the White House “Official” is as referenced in the WSJ article Electricity Grid in U.S. Penetrated by Spies.

I for one am not sure what the total amount actually is, but I decided to do just a few hours of research anyways.  I must admit, going into this research I believed the value to be much more than $1 billion.  I’ll go ahead and share the results of my research and let you be the judge though.

Here’s an article from Eweek on this subject:  http://www.eweek.com/c/a/Security/Cybercrime-Internet-Fraud-on-Upswing-as-Lawmakers-Discuss-Strategy-263851/

“A recent report by Finjan on the market for rogue anti-virus products estimated revealed a group of cyber-crooks running a rogueware affiliate network had hauled in an average of $10,800 a day in profits.”

So, with that estimate, we’re at about $3.9 million or $10,800 x 365 days in a year.

Also in that article:  “Based on posts on various hacking forums we found that 1,000 bots (infected computers) are rented for $100-$200 per day,’ said Finjan CTO Yuval Ben-Itzhak.”

So, let’s conservatively say it’s $125 for simplicity:  1,000 bots x $125/day x 365 days in a year = $45.6 million.  This brings our running total to $49.5 million.

Next, the IC3 (Internet Crime Complaint Center) released a report stating the dollar loss as result of cybercrime was $265 million.  This includes a variety of fraud types including non-delivery of merchandise. — http://www.ic3.gov/media/2009/090331.aspx

Running total:  $314.5 million.

Now a big one pops up pertaining to intellectual property losses.  This is debatable as to if it should be included or not, but I think it should be since IP does have value.  (http://www.lafayette-online.com/science-technology/2009/03/cybercrime-increase/) — Article states that McAfee  “found that companies lost an estimated $4.6 billion in intellectual property last year as a result of cybercrime.”

Running total:  $4.9 billion

Also, in just one case, authorities caught 4 men accused of hacking into a Calgary company’s computer system and stealing $1.8 million.  http://www.crime-research.org/news/09.05.2008/3559/

Running total: $4.9 billion+

Finally, I analyzed data published at http://datalossdb.org/yearly_reports/dataloss-2008.pdf.  According to their reports, there was at least 20 million credit card numbers compromised last year.  A number of articles online suggest the cost to financial institutions varies wildly for each card stolen or lost.  I’ve found claims of anywhere between $2 and $4 per card.  So, with at least $20 million cards lost as result of cybercrime alone, and a conservative number $2.50 per card, that value would be $50 million.

With only using just the above that I found in just a few hours of research online, you can easily see how this number can grow.  We’re already near $5 billion and definitely near if not over the $1 billion even if you want to lower the value of intellectual property stolen.  Next, I’m sure we could come up with a number of VOIP phone systems that were compromised and rang up millions in long distance transactions.  Then, we can throw in unreported estimates, fees paid to developers to write exploits, extortion amounts, etc.  The list goes on, but I do believe this to be at least in the billions if not tens of billions of dollars.  I do have to agree, however, that I doubt it to be into the $1 trillion territory.

The fact of the matter is, these are times when the determined will prove themselves, and the leaders begin to emerge from the rest of the crowd.  Over the past few weeks, we have been involved in a number of projects at Nuspire that were inherited from other competitors or ours.  Below are a few examples of tasks that needed to be completed.  In all cases, we were told “It’s impossible.”

Case One: The problem was, as based on a previous blog of mine http://blogs.nuspire.com/bkblog/?p=18, a large IT consulting firm was working with one of our clients.  An application was inherited by this team to support.  Unfortunately, they couldn’t seem to get the application working as a non-administrative privileged user.  So, they quite absolutely exclaimed, “This application requires administrative privileges and will not work nor be supported any other way.”  The problem with this, is that when you trust normal end users with full admin rights to their PC’s problems eventually ensue, and the systems can become costly to support on an ongoing basis due to viruses, malware, spyware, trojans, worms, etc. that can then run amuck on the network.

When this was brought to our attention, I wasn’t willing to settle.  I knew other developers had espoused such claims for their software before, and in the past, I was able to get such applications functioning under normal user permissions.  Now supposably, this other IT company had spent endless hours trying to find a work around.  They even exclaimed it would require a complete recoding (costing millions) to meet these requirements.  They thought I was crazy when I told them I wanted to try and make it work.  Needless to say, just a few hours later, a solution was found that allows these applications to run effectively and without error as a normal user, and it doesn’t require any recoding efforts.

Case Two: If anyone has ever been responsible for managing 100’s of desktops, you know that doing so effectively requires patience, determination, and most of all creativity.  We have just taken over a desktop support contract for a nationwide firm.  The machines we inherited are Windows XP and only have 256MB of RAM.  When we started working with them (just a month ago), they were still on SP1 and had no anti-virus protection.  You can probably now only start to imagine why a competitor of ours lost this contract.  The task is to upgrade these machines to SP3 and all the latest hotfixes, upgrade Adobe, upgrade IE plugins, install a managed AV solution, keep the bootup/login times the same or just a few seconds longer, and perform all these updates in 1 business day without an onsite physical presence.

Again, our team started working on this project a few weeks ago.  After install of the previously selected AV solution, patching, SP3 upgrade, etc… the systems RAM utilization increased by about 30%.  The drawback of this was that it went over the physical amount of RAM available thus significantly impacting the PC’s performance.  Obviously, this was unacceptable to the client.  Immediately, ideas were tossed around including forgoing AV protection.  We weren’t quite willing to give up just yet though.  After some significant system changes, disabling unneeded services, and even evaluating other managed AV products the system now is fully patched, has managed AV protection, runs all the latest IE plugins, and utilizes less than the 256MB of physical memory.  Result - system does take a bit longer to boot, but only 20 seconds.  In addition, the remote patching and upgrading process is done with a single click and can be accomplished in under 4 hours (depending on bandwidth at each location).

These are just two examples over the past few weeks of “Impossible” tasks that we were able to accomplish at Nuspire.  Personally, I hate expressions of absolute such as always, never, and impossible.  The more I experience, the more I realize that with the right attitude and determination anything is possible.  If you have any examples of your own, I’d like to hear your comments and thoughts.