OCTOBER 31, 2001, was a bad day for the new Acme Art, Inc., Web site, www.acme-art.com. A hacker stole credit card numbers from its online store's database and posted them on a Usenet newsgroup. The media were quick and merciless and within hours Acme Art had lost hundreds of thousands of dollars in customer orders, bad publicity, and most important, its much needed second round of venture capital funding. Acme Art's chief information officer (CIO) was perplexed. What had gone wrong with his recently commissioned security audit? Everything seemed fine. The firewalls prevented everything but HTTP traffic via ports 80 and 443. Going over the incident with a fine-toothed comb, ...