InformationWeek

he FBI said in March that an estimated 1 million credit-card numbers had been stolen from more than 40 E-banking and E-commerce sites across 20 states. It's billed as the largest organized criminal Internet attack ever, and it occurred despite the fact that nearly all 40 sites had operational firewalls and other security infrastructure in place. Similarly, many recent high-profile cases of Web-site defacements, denial-of-service outages, and Internet worms occurred at sites that had security technology in place.

Who's to blame for the success of these attacks? "Internet Information Server, Linux, and Solaris administrators and their managers must take a major part of the responsibility," says Stephen Northcutt, director of the Global Incident Analysis Center in Bethesda, Md., in a recent security bulletin. "If they don't make even minimal efforts to secure their systems, they're making the attackers' jobs easier and making the problem worse."

The myth of the genius hacker who concocts exotic methods to crack major Internet sites is just that--a myth. The majority of highly publicized break-ins in recent years were possible largely because system administrators either didn't have the skills or resources to plug their security holes. Even the Internet attack last March wasn't the result of exceptional guile or skill. According to an analysis of the attack, the hackers exploited unpatched vulnerabilities in Windows NT 4.0--holes for which Microsoft has had patches since 1998.

"Security and IT resource planning haven't yet risen to the prominence they deserve, exposing companies to internal and external risks," says Andy Evans, a senior security engineer for Ecora Corp., a maker of IT auditing tools.

Northcutt says too few companies give security training to their employees on the day-to-day use of computers. Unsuspecting employees often are the reasons new viruses and worms, such as the Anna Kournikova worm, gain traction. The Kournikova worm was E-mailed as an attachment that purported to be a photo of the tennis star. Actually, it was a Visual Basic script that installed itself on the recipient's system and propagated itself with his or her Outlook address book.

User training combined with company security policies might have headed off the worm before it did much damage. Employees could have been trained to pay attention to the file extension of the attachment that claimed to be a photo. The attachment's file extension was .jpg.vbs, indicating that it was a Visual Basic script.

"Network security is a problem, not because the issues are too complex, but because people have viewed them that way," says Mike Corby, of Netigy Inc., a network security and performance company that consults with multinational companies. "We've found that security problems can be solved using the same awareness skills and people-orientation skills that people use in the other areas of their business. Security is to be treated just as any other business driver."

In the past four years, Corby has seen a dramatic shift in security policies. While security used to be a purely technical issue that was avoided by upper management, it can now be a potent marketing opportunity that lets a company capitalize on a good security record, he says.

Recent Visa credit-card TV ads that promise privacy for customer data indicate that security marketing is hit-ting the consumer mainstream. Consumers care about a company's attitude toward online se-curity. Many companies are recognizing security as a competitive marketing issue both with their business partners and the public.

To show that it means business, Visa USA has set a May 2001 deadline for its E-commerce merchants to comply with a set of security requirements that are part of Visa's Cardholder Information Security Program (see sidebar "Visa Takes Security Seriously"). The requirements include obvious steps such as implementing a firewall, but also include more far-reaching goals such as encrypting stored credit-card data, encrypting data sent across networks, and testing security systems and processes daily. Not surprisingly, the 12 guidelines almost equally address technology and corporate security policy concerns.

"We're really looking at our requirements as a baseline for the industry," says Jean Bruesewitz, senior VP of advanced risk solutions for Visa USA. Bruesewitz says most of Visa's top 100 E-merchants already have security infrastructures and policies that exceed Visa USA's requirements, but they still need to prove their compliance. Online merchants are required to produce a statement of compliance from an independent third-party auditor by May 1. "These requirements are part of a process of bringing up the compliance and level of security," Bruesewitz says.