In a sign that virtually all bastions of business data security are vulnerable to attack, the vendors of two data storage systems -- a product type often implemented to provide an added layer of defense against hackers, have each just admitted to security flaws in separate high-profile products and have issued correctional patches.

EMC Corporation of Hopkinton, Massachusetts, has issued separate patches for it Legato NetWorker system versions 7.2.1, 7.14 and 7.3, while Symantec Corp. of Cupertino, California, has issued patches for its VERITAS NetBackup Enterprise Server/Server 5.0 and 5.1 products. The patches and details of the security vulnerabilities on the products are available online at each company's support web site.

The potential vulnerabilities could have meant dire consequences in both product lines. Both vendors said that, prior to the fixes, their products in question were vulnerable to attacks that could result in a denial of service and enable hackers to “execute arbitrary code” within their victims’ systems.

EMC has reported no break-ins yet for any of its customers and there have been no reports of any breaches for Symantec Legato clients, but the incidents underscore a growing concern about the lack of data security. SANS Institute, the Bethesda, Maryland-based Internet security watchdog and training group that first reported the EMC product vulnerabilities, late last year issued an industry wide report that found it’s almost impossible to protect data from truly dedicated hackers. It further found that, unlike Symantec and EMC this month, software vendors are typically slow to respond with patches.

To be sure, the Symantec and EMC products in question are typically used by enterprises too large to be clients of rank-and-file CPAs. But the matter is noteworthy to all practitioners because data storage is becoming a critical issue to businesses of all sizes, and it’s a growing concern for the data-intensive accounting profession itself.

As accounting profession consultant and publisher Rick Telberg noted in a recent advisory on Hewlett-Packard’s Web site, data storage, or vaulting, is becoming as significant to businesses as vaulting money is to banks because most businesses are “extremely or entirely dependent on their computer-based information systems,”

SANS, in its report last year, said that unlike other technologies, data security is getting weaker, not stronger. “The bottom line is that security has been set back six years in the past 18 months,” Alan Paller, SANS research director, said in a Washington Post story about the report. While vendors used to “automatically” issue patches for product vulnerabilities, he lamented, “Now the attackers are targeting popular applications and the vendors of those applications do not do automated patching.”

That report noted among other things that the cyber-space monitoring unit of the Department of Homeland Security found that products for backing up data are drawing intense attention from online criminals. The report incidentally also found a security flaw in another Symantec storage product, Veritas Backup Exec. Symantec responded that its policy is to quickly develop remedies and issue client alerts when it learns of product vulnerability.
~JC