Anthony Ricigliano Business Blog

As high-tech electronic devices become more and more pervasive throughout everyone’s personal life, IT workers are practically demanding that their employers provide the same technology in the workplace as they use in their personal life. Instead of being tied to their desks for a traditional workday, employees prefer to be able to take their work with them as they live their lives. While this can provide a benefit to the IT shop that requires 24X7 coverage, the unattached, alternative-platform worker also presents certain challenges and risks to a company that allows the consumerization of their IT department through the use of WiFi, Smart Phones, and other consumer-based technologies.

WiFi and Data Security
One of the biggest security threats with enabling a mobile workforce is insecure WiFi access. Although an IT shop can secure their on-site WiFi network, employees that use external networks are a whole different story. If an employee decides to work on their presentation over coffee before meeting with their next customer, anything could happen. All it takes is one breach on a machine that contains sensitive data to compromise the entire company. Although the ever-increasing availability of free WiFi offers an attractive option for companies that are trying to trim expenses in every way possible, it can be an expensive savings. While security measures can be put in place on mobile devices, an aircard might be a better way to go. As long as the device is within range of a mobile phone signal, the aircard is just as secure as any other dedicated broadband connection. As additional protection, companies should install utilities on mobile devices that perform scans for viruses and malware each time a connection is made to the corporate network.

Employee-Owned Devices
When employees would prefer to use their own devices on the corporate network, it can present a multitude of challenges. In fact, many companies specifically prohibit anyone from connecting to their network with personal devices due to the security risks. The following list details some of the risks and challenges involved with allowing employees to use their own equipment for work:
• Controlling Access – An employee’s spouse, children, friends, or even a virtual stranger may be given access to their personally-owned devices. Even the most innocent use could result in exposure of sensitive data.
• Virus Infection – As employees use the internet or install programs for their own use, they may infect their electronic devices with viruses or malware that can affect the corporate system.
• Supporting Multiple Platforms – If an employee insists on using an Apple-based laptop and an iPhone when the rest of the company uses PCs and Blackberrys, support can become an issue. The company may incur additional costs if they must support alternative versions of software or provide tech support for hardware problems.

Supporting Diverse Programs
In most cases, employees will install a variety of applications for both personal and business use. From instant messaging (IM) programs to applications that remember personal information, the employee may believe that the new programs help them to do their job better and faster. All may be good until there is a problem. An IT support desk has enough problems when they are in complete control of the type of devices and programs that operate under their corporate umbrella. Consumerization of IT opens the floodgates for an anything-goes attitude. While productivity can be impacted if someone’s personal device is rendered unusable, the entire IT shop can experience an outage when an unsafe application compromises a critical system or database on the host. Rules, procedures, and systematic safety nets should be put into place to protect the corporate network, but what about the individual employee? There’s no simple solution to this problem. While it’s expensive to support a wide-open system, it’s not feasible to implement a use-at-your-own-risk rule for employee-installed programs.

Employee Productivity
In most cases, if a manager can see their employee, they can be assured that they are performing their job responsibilities to some degree. While most workers will appreciate the opportunity to work from home or catch up on a project while they’re waiting for their child’s game to start, some will take advantage of this new job benefit. By monitoring mobile usage through new programs, a company can get an idea of whether or not their employee is working or hanging out on social networking sites. As the programs are refined, it might be possible to tell if someone is actually attending a special training class or if they’re hanging out in the bar around the corner.

The consumerization of IT is an inevitable development. To maintain efficiency and security, corporate IT shops will be forced to change the way that they look at employee productivity, system support, and network security.

While most companies have several security defenses in place to guard against threats, such as firewalls and antiviral software, a very important question is still left on the table: Exactly how effective are these measures? Although it is a deceptively simple question, every company must find their own answer to this essential question. Without this critical information, your organization could be left wide open to incoming threats because of unknown vulnerabilities. Let’s investigate a few ways to effectively evaluate your organization’s data security:

Penetration Tests
A penetration test, or pentest, is basically an attempt to hack into the system from outside the network. This simulated attack analyzes the system for any potential vulnerability points that could result from configuration problems, hardware or software defects, or poor operational procedures. A penetration test will typically look for vulnerable points not only from outside attackers, but also from the inside. If an employee can view unauthorized data, it can be just as dangerous as allowing a hacker to gain access. Penetration tests can be classified as either Black Box, the tester knows nothing about the system, or White Box, the tester has complete knowledge about the system infrastructure. Of course, some installations have used modified rules and referred to it as Grey Box testing. Every system that connects to the internet or allows access from any other external source should use penetration testing on a regular basis.

Network Discovery Assessments
A network discovery assessment analyzes your network’s infrastructure to identify every device that is connected to your network and search for configuration weaknesses. By clearly identifying each machine within a continuous IP address range, the system engineers can detect any new or unexpected devices that are connected to the network. While an unknown machine usually occurs because an incorrect IP address was assigned or a cabling error was made, a network discovery assessment will also point out any truly unauthorized computer, such as a hacker, that is connecting to your company’s network.

Network Sniffing
A network sniffer can be either a hardware device or a piece of software that intercepts and logs traffic passing over a network in order to capture information about each packet’s final destination. Some network sniffers have the ability to generate errors within the system to test for the ability to handle error conditions. Depending on the capabilities of the individual network sniffer, it can be configured in the following ways:
• Wired Broadcast LANs – A network sniffer can monitor traffic traveling across either the entire network or on specific parts of the network from one machine. To minimize a potential bottleneck, ARP spoofing or monitoring ports can be used.
• Wireless LANs – A network sniffer can monitor the traffic on one specific channel.
• Promiscuous Mode – If the network sniffer supports this feature, the network adapter can be set to promiscuous mode to allow the sniffer to monitor multicast traffic sent to a group of machines that the adapter is listening to.
• Monitor Mode – This is a step up from promiscuous mode. It allows the sniffer to process everything that it could in promiscuous mode plus packets for other service sets.
In terms of information security, network sniffers provide value by detecting network intruders, discovering network misuse by internal and external users, and isolating exploited systems. On the other side of the coin, hackers can use network sniffers to learn information to effect a network intrusion and to collect passwords or other sensitive information.

Checking Password Security
Because most users will choose a password that’s easy to remember, instead of one that’s hard to guess, password security is critical to overall information technology security. After all, once a hacker has a valid user id and password, much of the system is readily available. Passwords should be encrypted within the system, and rules should be put into place to reflect the potential security risk of an individual system. If the risk is low, it might be enough to require the user to create an eight-byte password with at least one character and one number that expires at 30 days. At the other end of the spectrum, the password should expire every week and require the user to use a mix of upper case, lower case, numeric, and special characters while restricting the use of any word found in a standard dictionary and consecutive keyboard characters.

Checking Wireless Security
Wireless access is a growing trend in today’s business world, but it comes with huge risks for security vulnerabilities. As long as a hacker is within the zone of your company’s wireless signals, they can connect to your system and attempt to login. If a wireless network adapter isn’t configured properly, it can leave the door wide open to attacks, and the hacker may be able to get in with a simple admin/password sign on. In addition to securing each known wireless access point, the network should be searched for unauthorized wireless ports that may have been leftover from testing, set up by accident, or created with malicious intentions.

What does Server Virtualization Mean?
Server virtualization is the use of technology to separate software, including the operating system, from the hardware. This means that you can run several environments on the same physical server. In some installations, this could mean that several identical operating systems are run on the same machine. Other shops could decide to run a Windows platform, a Linux system, and an UNIX environment on a single server.

Advantages of Server Virtualization
In today’s demanding business environment, server virtualization offers many different advantages. Not only does virtualization allow servers and data to be more mobile than ever, it also provides a cost-effective way to balance flat or shrinking budgets. The following list details the major benefits:
• Consolidation – Most large servers run applications that only take up a small percentage of their processing power. Even busy software packages usually only have small peak times that utilize over 50% of their CPU capabilities. The rest of the time, the capacity is unused. By virtualizing the server so that additional systems can take advantage of under-utilized resources, IT shops can increase their return-on-investment (ROI). Although some companies have reported a consolidation ratio as high as 12:1, most shops can easily show a 3:1 to 4:1 rate.
• Decreased Footprint – By decreasing the number of physical servers, the size of the computer room can be reduced and utility costs should decrease.
• Lower Hardware Costs – The utilization of a higher percentage of existing hardware resources will reduce the total number of physical servers that are needed. This will save money on the upfront expense of purchasing hardware and the long-term cost of maintenance.
• Flexibility – Server virtualization allows an IT shop to be much more flexible. Instead of waiting for new hardware to arrive before implementing a new system, a new virtual server can be created on an existing machine. This also provides a more flexible method for migration and disaster recovery.
• Easier Testing and Development – Historically, IT installations have used separate physical servers for their development, acceptance testing, and production environments. With virtualization, it is an easy process to create either different or identical operating environments on the same server. This allows developers to compare performance on several different environments without impacting the stability of the production system.

Virtualization and Disaster Recovery
The growth in both international business and large-scale natural disasters has many organizations closely analyzing their disaster recovery plans and general hardware malfunction procedures. In either event, it is critical to be back up and running in a very short period of time. Most modern IT shops require consistent up-time 24-hours a day to maintain their core operations, or their business will be severely impacted. Both reliability and accessibility are greatly improved when server virtualization is used to its fullest potential.

By reducing the total number of servers needed to duplicate the production environment, it is much less expensive to create and test an off-site disaster recovery environment. Hardware, space, and backup expenses are dramatically reduced. It’s easy to see how setting up 30 or 40 pieces of hardware would be both easier and cheaper than configuring 100 items.

Along the same lines, a hardware malfunction will be less of an issue with server virtualization. While many more systems will run on the same piece of hardware, most shops find that they can easily duplicate physical servers for automatic rollover in the event of a hardware failure when they virtualize.

Major Virtualization Products
While there are always smaller players in any new technology, VMware and Microsoft Virtual Server are the biggest providers of server virtualization products.
• VMware offers the free VMware Server package or the more robust VMware ESX and ESXi products. Systems that are virtualized by VMware products are extremely portable and can be installed on virtually any new piece of hardware with a low incidence of complications. The system can be suspended on one machine, moved to another one, and immediately resume operations at the suspense point when restarted.
• Microsoft Virtual Server is a virtualization product that works best with the Windows operating systems, but can also run other systems like the popular Linux OS.

Spam, named after the canned meat that has been the butt of many jokes, is the mass sending of unsolicited emails. It clutters email inboxes, makes it hard to find legitimate communications, eats bandwidth, consumes mass amounts of storage, and irritates the computer user. If the computer user makes a mistake and opens the wrong email or clicks on the wrong link, their computer can quickly become infected with a virus or spyware. Spam is considered so detrimental to normal communications that the Federal Trade Commission (FTC) has passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act aimed at preventing spam.

Spam Statistics
The numbers related to spam are staggering. To illustrate how large this problem is, take a look at the following numbers:
• Globally, unsolicited spam emails account for 14.5 billion messages each day. This represents 45% of the total email volume.
• The largest volume of spam originates in the United States, with Korea following close behind.
• The top three spam categories are advertising at 36%, adult-related material accounts at 31.7%, and financial material at 26.5% of all spam emails.
• Although spam is annoying, only 2.5% of all spam is fraudulent. Identity theft, or phishing, makes up the majority of fraudulent emails.
• Annually, it is estimated that spam costs the business world over $71 billion each year in processing time and lost productivity. That number is expected to grow to $257 billion per year if spam is allowed to continue at its current growth rate.

New Generation of Email Risks
Spam isn’t just annoying, it brings many larger problems. Spam is one way that hackers can access your system. If they can convince an unsuspecting user to click on a link, they may be able to install malware on your system. Certain types of malware will provide the hacker with a backdoor into your network that they can use to access valuable information. Other types of malware will capture specific types of information and send it back to the hacker. Using these methods, your private company information or the private financial information of your customers can be easily compromised.

Another way that tricky spammers can impact your business operation is by impersonation. They will create emails that appear to be from your organization and send them to millions of email addresses hoping that someone will believe their masquerade. To take this fraudulent hoax a step further, they may even create a website that resembles the official landing page. In this way, they could trick your customers into revealing important financial information and compromise your reputation.

Your company’s reputation could also be damaged if spam gets past your defenses and infects your system with a virus. The virus could use your email system to send out malicious spam to people in your address book which could also infect their systems. They will blame the original creator of the virus, but they will also blame you and your lax security procedures.

In addition to compromised reputations, other impacts represent real dollar amounts. Anti-spam technology costs businesses of all sizes a substantial amount of money in software and hardware solutions. The lost productivity experienced as employees deal with spam email translates into a major payroll expense. Wasted storage and bandwidth combined with increased internet connection costs run the spam bill up even more.

Impact on Small and Mid-Sized Business
Small and mid-sized businesses are often impacted more severely than larger businesses. They often lack the resources to implement counter-measures to detect and quarantine spam which leaves them open to risks. In addition to the loss of productivity caused by spam, the threats listed above are a larger threat to smaller businesses. Just like larger companies have the resources to fight spam, they also have a larger budget to recover from any damage done to their reputation by compromised personal information. In contrast, small to mid-sized businesses face the potential to lose a large portion of their customer base due to problems caused by spam.

Detection Methods
As new security protocols are put into place to combat spam, creative spammers are working equally hard to find a new way around them. This trend of increasingly sophisticated security threats is causing electronic security professionals to rethink and bolster protective measures. While it is fairly easy for a human to determine if an email is spam, it’s not as easy for a program to do the same. If a legitimate email is identified as spam based on a security program’s inspection criteria, it is referred to as a false positive. While there is a certain amount of risk involved with missing important messages, most spam blockers rely on identifying spam by inspecting the contents of the email.

Additional methods are being developed. Some companies rely on DNS-based blacklists where a third-party service identifies spammers and maintains a list of sites that are known to send large amounts of spam. Another method quantifies the “alienness” of strings. It analyzes the incoming email and identifies it as spam if it has a substring that has a high degree of alienness when compared to the rest of the message. Security software developers continue to try to stay ahead of the spammers and hackers, and new detection methods can be expected in the future.

Amthony Ricigliano

The Security Dangers of Outsourcing

In today’s Internet-based marketplace, many companies are practically forced to outsource their web development projects to keep pace with the need for specialized applications. Many IT shops can’t fully utilize a staff of web-development experts on a regular basis, or afford the ongoing training that is necessary to maintain state-of-the-art skill sets. If they choose to only keep one or two web designers on their payroll, they are not staffed adequately to meet strict deadlines and a constantly changing environment. While they would prefer to develop in-house, most IT shops have found that outsourcing can bring cost savings and efficiency to their web-design projects.

While outsourcing makes sense, a number of security concerns should be addressed. Studies indicate that as many as 75% of information security breaches are at the application level. Because Internet-based applications operate on the outside of a company’s firewall and are often used to capture confidential information, there is a large risk for security violations. Although the concern is high when systems are developed in-house, they are even higher when programs are outsourced. Each line of code should be reviewed prior to implementation to reduce the chance of any security vulnerability finding its way into the production environment.

Even if the outsourcing company has their client’s best interests in mind when developing code, hackers continue to discover new ways to take advantage of inadvertent defects in code. In fact, what is perfectly acceptable and safe today may be the hacker’s preferred weak spot tomorrow. It is critical to choose an outsourcing company that has security experts on their staff that continues to monitor hacking trends for the latest security issues.

Before choosing a web-development outsourcing company, create a framework to address security concerns. At a minimum, it should include the following items:
• Evaluate each potential web development group for security expertise. While many companies maintain strict requirements to ensure that their code follows the latest standards and best-practice recommendations, few include a staff of security experts that are current on the latest hacking methods. Include security as part of the contract and service agreements.
• Decide whether the contractors will be required to develop the system on-site or if they will be allowed to access proprietary systems off-site. An alternative method is to supply the company with test data and scenarios for off-site development without the need for early access to live systems.
• Determine critical points for user-level testing, acceptance testing, quality control reviews, and code review. Not only will this process point out security concerns early in the process, it will also ensure that the system satisfies the core requirements.
• Before implementation, a thorough code review should be conducted to identify any final security vulnerabilities. Any weak points should be addressed immediately. The code should be staged on a test platform for a thorough evaluation where non-developers attempt to use the latest hacking techniques to breach the system’s security protocols.
• After implementation, the code should be reviewed periodically to identify any new security vulnerabilities that have been identified. This should be a formal security audit with a defect testing process.

To make code reviews a more methodical process, a variety of technologies have been developed to assess and certify outsourced applications. Before choosing a tool, evaluate its strengths and weaknesses in the areas of certification, prioritization, tracking, and remediation.
• Certification should address both internal and external audit requirements.
• Prioritization should rank the potential security vulnerabilities according to number, severity, types, and potential impact so that developers know which should be addressed first.
• Tracking should report on the progress of improving security weaknesses over time.
• Remediation provides information to the outsourcer so that they are responsible for correcting any vulnerability that is clearly identified and prioritized.

 Anthony Ricigliano

News by Anthony Ricigliano: As the national debt continues its upward trajectory, now projected at over $13.6 trillion, military spending is moving to the front of Washington spending and policy battles. The military is starting to feel some of heat, as witnessed by Secretary of Defense Robert Gates’ proposal for adjustments in command organization which could save billions over the next half a decade or so. Whether it was the military just trying to get out in front of the issue to look proactive, or something that actually might occur, remains to be seen.

Even at the highest degree of savings, the proposal is a drop in a very big ocean considering that our global military establishment is funded to the tune of $750 to 800 billion per year. It’s really not even a drop in the bucket considering that Gates still sees military spending continuing to increase, just not as fast as it has been in the last few years.

The military/industrial complex, despite the modesty of the proposals which have been put forward, is taking every measure possible to ensure that their budgets remain untouched and unexamined. These measures include the vague testimony given by Gates, to the assembly of committees made of members of the military/industrial complex to override proposed budgets from Congress. Gates gave as vague a testimony as possible, talking about reducing 30 percent of the number of military contractors but saying he didn’t know how many contractors are currently employed by the Pentagon.

Regarding committees to refute the findings of the Quadrennial Defense Review, made public this spring, Congress tasked the United States Institute of Peace (how’s that for a misnomer) to provide an independent study of military needs and funding. The committee was chosen by the Department of Defense which, to no one’s surprise announced that the findings of the Quadrennial Defense Review had understated military needs across the board. The USIP direly announced that military funding had to be increased to levels far above the QDR’s recommended expenditures or disaster would be close at hand. The only concession the USIP report made was to admit some waste and inefficiencies which would be eliminated to help pay for the spending increase. Specific actions on how to eliminate waste and inefficiency were not detailed.

The military/industrial complex’s desire for open ended and growing funding to defend America isn’t meeting any resistance in Congress for good reason; bringing massive military projects home to the constituency while receiving campaign funds from the same purveyors of those projects is too big a temptation to pass up. On the political side, those that make any mention of military cutbacks still get branded with a “soft on terror” tattoo and then have to abandon the rest of the agenda to defend cutbacks on redundant and unworthy projects. For many, it’s much easier to go along for the ride, tough on terror and bringing home the bacon to the voters.

By Anthony Ricigliano

While the hardware required to store massive amounts of data becomes cheaper with each passing year, the resulting explosion of stored data content means that companies are forced to devise innovative new ways to meet the challenges of processing this ever-growing wealth of information. Simply storing everything forever because of the low cost of storage media sounds like a good idea to the uninformed, but massive amounts of information stored in databases and flat files can make retrieval, purging, and archiving a difficult process. Recent electronic data laws that require specific periods of retention to allow for auditing in the event of fraud or other wrongdoing only serve to complicate matters even further.

Best Practices for Data Management
Like any other data processing area, the experts in data management have compiled a list of best practices. While each item will not apply to every organization, the individual IT shop should choose the practices that work well for their particular data storage model. With the growth in data warehouses, a data management strategy is critical to the overall success of virtually every business area. Rules and code should be created to make sure that each piece of data is always accurate, that it means the same thing to everyone and every system, and that everyone has access to the most current information.

Data Stewardship
A data steward maintains the metadata registry and ensures each data element’s integrity. This would include making sure that each data element has a clear and precise definition, that the data element is not duplicated unnecessarily, and that each data element has clear and up-to-date documentation that specifies valid values, data sources, and data destinations. When the data element is no longer required, it should be immediately removed from the file structure. Data stewardship ensures consistent use of a defined field between multiple computer systems, allows for easier mapping of data, and reduces migration costs.

Model Driven Integration
By using Unified Modeling Language (UML), some IT shops are using the model-driven strategy to provide application integration solutions. This is an attempt to reduce the costs of meeting the ever-changing demands of the current business world by quickly adapting the existing software infrastructure. It attempts to separate business logic from the underlying system so that individual components can be reused without the need to change them. With this theory, data storage should be kept independent from application design and organized according to the business needs.

Active Data Model
Relational databases are the storage method of choice for most organizations that require retention of massive amounts of data with fast retrieval times. The Active Data Model “actively” refreshes the data that is seen at the client level. The client retrieves data in its current state. Next, it tracks the data created, deleted, or modified by the user, and then passes the information back to additional services for validation prior to permanent storage. Because data at the client level is always up-to-date, code designed to set up or manipulate the data can often be reduced or eliminated.

Organizational Challenges
As the amount of stored data grows, so do the organizational challenges. While no one wants to keep out-dated information, it has become increasingly necessary to do so in case of audits or legal challenges. Old data must be archived once it is no longer needed for instant retrieval, but it must still be kept somewhere that it can be accessed fairly easy when necessary. Due to inconsistent classification of data between systems or between organizations, substantial effort and cost is wasted in trying to reconcile data. In many cases, both systems will be correct, but they may be following different data management rules. When data elements are stored in multiple file systems, data errors can become a major problem. One system may be updated before another one, or certain systems may not be updated at all. When two or more computer systems are merged together due to the growth in mergers and acquisitions, it only compounds the problems if an aggressive data management strategy is not used.

Author Anthony Ricigliano: If the time has come to raise funding to expand your business, you’re likely to be presenting your business to a variety of investors. Assuming that you are past the “friends and family” funding stage, you could end up presenting to investors referred to you by your friends and family or to angel investing syndicates. First of all, your company either has a product/service or has something in the concept phase. Either way, there are points to be made and mistakes to avoid. One of the biggest mistakes business owners make is over-emphasizing how great an idea their product/service is. Don’t get me wrong, differentiating yourself from the competition is important. The problem here is, quite frankly, your idea is probably being pursued by other companies right now. If it’s a really great idea, there will more people chasing it in a few weeks or months.

Here’s another crack in the “My idea is so great that we’ll take over the world” pitch. Getting a patent for it may or may not protect you. If a patent isn’t allowed or doesn’t protect you for some other reason, that’s one thing. If it does, you may be taking on a problem that kills your company anyway; a long drawn-out court battle.

Don’t toss up your hands and walk away yet. There is a way to differentiate your business, impress investors, and realize your business’ potential; focus on execution. A detailed roadmap of how you’re going to outwork and execute better than your competition is what is going to matter both to your potential investors and to your company.

It’s quite possible that the reason you started your business is that you see endless potential with opportunities dovetailing out to other endless opportunities. You see the market as broad and deep with revenues sitting out there for the taking. Here’s another mistake to avoid; spending more time on the huge potential that exists from these dovetailing markets as opposed to the opportunity that exists in the short term. It doesn’t matter if the first market opportunity is infinitesimal compared to the downstream markets, your potential investors are going to want to hear how your company is going to grow on a step by step basis.

Next, presenting your business as having no competition may sound great but a space with no competition really isn’t a space at all. An investor hearing that there’s no competition should immediately wonder if a market exists and, if it does, ask why no one is addressing it. Having the answer to a question that isn’t being asked is a sure way to lose an investor and a lot of time waiting for that market to develop, if it ever does. A great example of this type of situation is Corning’s “Gorilla Glass” which was patented in 1962 and sat on the shelf for almost half a century before markets developed in high tech and high definition televisions. Corning could afford the wait but that luxury isn’t available to startups. Competition in a space confirms that there is a market, now it’s up to you to out-execute the other players that are already out there.

By Anthony Ricigliano

Author Anthony Ricigliano: It’s not over yet in housing as the recent July sales reports of new and resale homes hit lows not seen for three years. The July numbers were off by twenty percent from the previous month in Southern California with other reports showing similar declines as new and re-sale home sales fell sharply across the country for the month of July. The supply of houses currently for sale would take over ten months to sell at current demand levels with indications that the time frame could extend to a year in the near future. The high for this metric was 11.2 months in February of 2008.

Keep in mind that these are numbers supplied by the National Association of Realtors (NAR) which has developed a reputation for finding the silver lining behind every cloud in the real estate market for years. Other industry watchers numbers show a picture of housing which is even bleaker.  Housing economist Thomas Lawler’s preliminary estimate for existing home sales in July is 3.95 million. If that’s the case the number would mark the lowest number of sales since 1996. Going further his estimate for the supply of houses currently on the market in July would calculate out to 12.3 months of supply.

Historically, normal housing markets which are health have less than 6 months of supply according to studies by Case-Shiller. Once the supply number goes over six months, prices soften and start to fall. These metrics for the supply of housing don’t include an aspect that didn’t factor in much or was completely non-existent; shadow inventory.

Shadow inventory is made up of homes which have been foreclosed but aren’t currently listed for sale by their respective REO departments. Shadow inventory homes typically kept off of the market when an area has been hit with a high foreclosure rate. The logic here is that putting more homes up for sale, in addition to a boatload already out there, is just going to scare potential buyers and depress prices further. Shadow inventory numbers are part of the total of homes in a lender’s REO department and getting precise numbers is difficult. One estimate number which was put forward by well respected Amherst Securities analyst Laurie Goodman in congressional testimony in December 2009 came in at 7.2 million.

If that number is close to reality, the actual supply would take a lot longer to liquidate. That’s a big chunk of homes to get through, made even tougher by a soft jobs picture and lending standards which either exclude buyers completely or relegate them to the very low end of the market.
Keep in mind that this inventory buildup occurred as sales were pushed forward by the homebuyers’ tax credit, which is now expired. What it all means is that the housing recovery has a way to go which could include another bout of lower prices. The one piece of advice I can offer is any statistics coming out of the NAR should be taken with a grain of salt.
By Anthony Ricigliano

<!–ec799fceabb64847b20ac92f94bff19d–>