IT Security & information risks with using Altova toolkits

sunhux
sunhux used Ask the Experts™
on
https://www.altova.com/download_current.html

I'm not familiar at all with the above tools but recently discovered that a Messenger
software used by financial traders could attach volumes of files, ie risk of data leaks.

Anyone can share what risks & mitigations with using above?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
What messenger?

Author

Commented:
Don't worry about Reuters Messenger: just quoting an example

Any comments on Altova ?

Author

Commented:
The Altova tools we'll be using are:
Diffdog and Stylevision.

Diffdog is a file comparison software, which can be used to compare different format files. Currently for many of our projects we compare the files either eyeball or using some old methods.

StyleVision is a xsl generation tool. K+TP require xsl scripts to generate pdf confirmation for our counterparties. As part of Local Incorp we have to develop few more confirmations and hence require a xsl generation software. This is the only software recommended by Misys (vendor for Kondor) for preparing xsl scripts.

I suppose source codes must not be leaked out so we have to use these tools on isolated desktops that
are without Outlook?
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

btanExec Consultant
Distinguished Expert 2018
Commented:
They are reputable company. Note there is always a end user licence acceptance with the software to safeguard privacy. You should check that out.

https://en.m.wikipedia.org/wiki/Altova

Some worthy notes
You may not distribute or redistribute, sublicense, sell, or transfer the Restricted Source Code to a third-party in the un-compiled form unless said third-party already has a license to the Restricted Source Code through their separate agreement with Altova.

If a computer is not on the same physical network, then a locally installed user license or a license dedicated to concurrent use in a virtual environment is required.

....you may not reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, underlying ideas, underlying user interface techniques or algorithms of the Software by any means whatsoever, directly or indirectly, or disclose any of the foregoing, except....
. By your acceptance of the terms of this Agreement and/or use of the Software, you authorize the collection, use and disclosure of information collected by Altova for the purposes provided for in this Agreement and/or the Privacy Policy.

You agree that Altova may audit your use of the Software for compliance with the terms of this Agreement at any time, upon reasonable notice. In the event that such audit reveals any use of the Software by you other than in full compliance with the terms of this Agreement, you shall reimburse Altova for all reasonable expenses related to such audit...

Such required third party software notices and/or additional terms and conditions are located at our Website at https://www.altova.com/legal_3rdparty.html and are made a part of and incorporated by reference into this Agreement.

Last updated: 2015/09/03
https://www.altova.com/m/eula.html

Author

Commented:
This query arises because in my past organization where we maintain customers' source codes,
a programmer posted in online forums source codes to ask for support/assistance & the codes
has indication of the customer's organization name.

It became quite an issue.  So I just wanted to prevent my current place's developers from doing
the same as they wanted to download codes to be used with Altova DiffDog & Stylevision which
I asked that they only use on isolated Desktops that do not have Internet access but they
objected as they wanted to use them on laptops which could be brought home (to connect to
their home Wifi or even public Wifi)
Top Expert 2015

Commented:
I dont see how encryption would prevent Copy/Paste to public forum...
Exec Consultant
Distinguished Expert 2018
Commented:
The software itself is alright. To restrict access and reduce leakage, maybe we can consider
- isolated working terminal not connected to Internet (separate machine for Internet if required)
- physical terminal being chain locked to the company premise
- have DLP (devicelock) installed into terminal so that ext device is restricted and transfer of any document are managed as well as disable other wireless interfaces..
- employ kiosk mode type of terminal control if you are only wanting developer to use their development studio
- restrict any capturing device into the development premise. To prevent camera capable device to be used and brought in.
- physical premise equipped with entry log and CCTV watchover by security staff

Above is best effort, have the developer make daily declaration but we also do not go too extreme being so paranoid. Eventually the developer will serve penalty if the contractual on user acceptance policy is infringed..
Top Expert 2015

Commented:
Come on, you have to double salaries of affected people before presenting so sick and weird ideas...
First there should be a written policy that work data belong to work and private data belong to you.
Forgot to mention- IT does not do HR and management function.
btanExec Consultant
Distinguished Expert 2018

Commented:
Another means is to restrict no Internet till VPN is setup and have the Internet routed through company web proxy to restrict certain websites to be visited. Not silver bullet and those setup also required existing infrastructure and desktop software to be already supported. Otherwise ask them to make declaration if bringing back home..

Author

Commented:
Encryption dont stop data leaks but stopping Internet access n usb ports with IT policies wud help
btanExec Consultant
Distinguished Expert 2018
Commented:
Encryption don't stop data leaks but having an encrypted make no sense or value to the cybercriminal even if they have it. it is same analogy as an encrypted HDD vs a unprotected HDD that still need to undergo secure wipe before reuse. The blocking and restriction at policy level are means to the end, we can at most say it deter but not necessarily can stop leakage - imagine if I can get physical access to the machine or the machine is infected with malware and data are siphoned off the machine. If the files are encrypted, those scheme even if successful will not be of greater loss. Regardless, security is all about having layer of defence and deterrence to reduce the attack surface and get the attacker to work harder.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial