Proposal for Mobile Application Development

Due to increase in the number of mobile applications and more flexible mobile gadgets, there is need to push towards more functioning mobile applications for various uses. There is need to design a mobile application which allows workers to push the envelope without the need to have a huge laptop. The sales representatives will be glad to use the application other than plugging in a computer. Since the  sales team already have apple and Android devices, the company’s sales have increased by 30%.The proposal will boost the company’s sales force hence making the company more competitive.

            This software is not only a tradition interface to the organization portal, but it is also a completely functional tool. The application will be referred to as pending approval Production+.As the leading wine producing company across the country, the company should also lead in innovation and creativity. The company’s sales reps are currently using iPhones and ipads, for this reason, they will be the first one to experience the efficiency of this application. The devices are powered by the voice, data capable and Verizon service. The network will be shared with other partner organizations for the successful completion of this tool (Loukas, 2015).

            For transmission of data from mobile gadgets, security protocols will be implemented to encrypt it hence preventing any unauthorized individual from accessing confidential information. For instance, Cyber Security Division for Homeland Security focuses its attention on the mobile internet infrastructure security; this is through establishing security protocols for its existing internet infrastructure such as routers and browsers to ensure that its users are not directed to pathways or websites that are not safe by malicious actors.

            In most cases, the end-user is usually the weakest point in any system. This is not surprising that data breach for several years does occur within an organization, always innocently by the user. This is either through deliberate intent or by careless actions; this should be taken into consideration when securing an operating system (OS).This application will not in any way allow many issues such as classic web-based connection to a server (in-house).

            Threats to a network security can be categorized into deliberate penetrations, accidental disclosures and physical attacks. Accidental disclosure can occur as a result of software/hardware malfunction or due to user error. Physical attacks is a risk on physical environment or infrastructure, this is mostly done by outsiders (Loukas, 2015). Deliberate penetrations occur due to active infiltration by members within an organization who have right to access confidential information. All the network protocols that are currently used will be used once the app connects via VPN connections which include UDP, FTP, SFTP and https. When working with partner organizations to stream commercials of merchandise and images or even transmitting a sales sheet, having this data will change the sales force with time.

            The devices have several means for purposes of authentication; this will make it possible for the company to the methods as addition to the traditional use of passwords. Two level authentications will be used for access to the application. The gadget will have fingerprint and password which will enable the user to access it; here the fingerprint is the key, having the pin as backup. The smart devices security will not be changed. This app will not be used on Wi-Fi so as to secure the application unless there is a guidebook override due to the service issues. The gadgets app store will lack the application upon release; it will be manually pushed to the devices with the help of the company’s management software team.

Application Requirements

            The most important business function of the application is that of marketing products. The app will enable sales rep to increase their production and efficiency anywhere they visit. With this app, sales representatives will have an opportunity to have sales per product and even vendor information; these enable them to market the product with ease. With the app, they will be able to display products and even process new orders, this at the end of the day contributes to an increased sales.

            The app uses cloud storage; this makes it possible for information from other organizations be connected to cloud-based server hence allowing interconnection of operations with reduced downtime due to server redundancy via provider such as Amazon. For cloud storage backup information exchange, effected through a cloud provider hence allowing the organizations to freely interact by copying a listing to the cloud as a backup which will be used in the mobile app. This application is more than an order system because it gives total of transaction to the salesperson. Personal Information will not in any way overlap with that of the company or partner organization. The app allows only the importation from the phone is the contact information and geographical location (National Institute of Standards and Technology (NIST), 2005). 

            There will be remote connectivity to all the components which is done via virtual private network (VPN), this helps the sales representatives.VPN refers to a virtual network that is built on top of a physical network, which can offer a safe communications mechanism for information that is transmitted between a mobile gadget and the network. Mobile VPNs safeguard the integrity, confidentiality, availability, and access to sensitive and crucial information and are connected to the location and the networks may change. Mobile VPNs is different from the other VPNs; these include (IPsec) VPNs that connects endpoints and secure sockets layer (SSL) VPNs that connect the user to web browsers (National Institute of Standards and Technology (NIST), 2005).

((Velu, 2016Bottom of Form)

Threats

            Systems are prone to attacks, in most cases, the susceptibility occurs with the equipment of the software. To protect the system from such attacks, there is need to conduct regular system maintenance. The threat agents that were taken into consideration when building this app include automated programs and human interaction.

            Human interaction offer users much chance; it is at this point that several issues can arise as a result of human error. Stolen Device User; this is to a user with no access right to the device aiming to obtain memory-related confidential information which belongs to the owner. To prevent such access, the app is set in a way that it asks for a fingerprint when not in use for five continues minutes. Owner of the Device: This can occur when the user involuntary install a malicious mobile app that obtains access to the mobile application memory (Velu, 2016). The feature will not interfere with the company’s operations since the phone will be controlled using iron application, this disables the usage of uncertified apps and it ensures that the needed software is pushed to the gadget. Organization Internal workers: This refers to any user within an organization; it could be the admin, programmer or simply the user (National Institute of Standards and Technology (NIST), 2005). An individual with privileges to carry any action on the app. Limited rights are granted to certain administrators that require the approval of an additional administrator; two individuals must authenticate.

            Automated programs usually don’t need interaction from the user though it is also a threat, such threats goes undetected. It includes Malware on the device: This is any mobile app that can carry out suspicious malicious activity. This can be an app that is real-time information from the user’s gadget send out to any server. The program performs parallel to the processes that run in the background and is alive; carrying out suspicious activity throughout, it can also send browsing history and the text messages. All the devices have been designated as work devices, and law put in place to limit its usage to sites not approved salespersons will visit, order sheets, vendor websites, etc.The other one is Malicious SMS: This is an incoming short message that is redirected aimed at triggering any mistrustful activity on the phone device (National Institute of Standards and Technology (NIST), 2005). There are some services that run in the background. The services have listeners who might be active and hence listen to the incoming message. Such message might trigger the malicious activity. This will be resolved on a case by case basis, and in case the messages are sent, the information technology (IT) department will be informed immediately. The other issue due to automated programs is Malicious App: This is where the system fails to detect malicious code and a possibility of an attack against the application store. Because the app will be limited to already approved apps, this will not be an issue; the needed apps will be pushed to each gadget.

Methods of Attack

            Spoofing refers to imitating or tricking someone. Understanding this term calls for one to evaluate the IP packet structure comprehensively (Loukas, 2015). Most cyber-attacks originate from design flaws in the network designs; including the packet spoofing. Cyber-attacker establishes IP packets targeting a particular location; source IP is changed so that it hides the attacker’s computer this way the computer can be used by the attacker as a tool for collecting data.

(Phatak, 2016)

Analysis of Threat

            The initial step in the process is hiding the network; sniffing allows the attacker to gain a lot of information of the target computer. Information leaked includes operating system, open port, layer seven applications and cryptography used without revealing the identity. For instance, the attacker can send a spoofed packet to establish if the target computer is running a Web server (Phatak, 2016).Revealing the port data on the sniffer leads to another chuck being sent to the attacker’s target to determine a telnet session and the headers on the Web server, this will reveal the operating system data as well as the security support data and the Web server in use.

            The commonly spoofing methods used by cyber-attackers include ARP spoofing, IP port spoofing, and DNS Spoofing or poisoning (In Kott, In Wang & In Erbacher, 2014).IP port poisoning is used by the hacker to cheat firewalls, and NAT devices hiding it deeper in the network. A firewall that is not well protected that leaves only old regulations in action can leave some ports opens hence risk of being attacked.ARP spoofing is directed to packets present on a LAN to attack an IP belonging to another host. Binding MAC address and IP address makes it qualify to be called a local Man in the core attack. Hackers can forward the data to their preferred destination in the process no information will be lost hence making it difficult to detect.DNS Spoofing is a crucial attack that affects the domain name server; it changes DNS entries to the attacker’s IP address (Phatak, 2016). This will send the email traffic and the web to the attacker. Here, email information can be stolen and the websites defaced. This leads to web and email spoofing, taking the initial step out of the equation hence giving similar results. The impersonation is done by developing a fictitious web address, email, or even hyperlink. The process is commenced by planting a virus, implanting a rebuff of service attack hence keeping the hacker hidden.

Controls

            Protecting the network and all the devices is important for any organization. The control measures in place aimed at creating a data breach free environment (Manning, 2015). Some of the control methods have been discussed in detail in the threats session.

            In most cases, cyber attackers find their way into a network; this occurs when a worker uses a poor password or when he or she clicks a line in an electronic mail. Being updated on the latest scams and ensuring that workers are informed of the scams is important when protecting one’s network and devices. Creating an organizational policy requiring employees to two-factor authentication and strong password ensures that such attacks are controlled.

            The other thing is to have updated devices that are not susceptible to attacks. Ignoring antivirus software, operating systems, firewalls and web browsers leaves loopholes in the security system. Encrypting all information and the use of ad blockers will help in the protection of each gadget.TCP timeout and HTTP open session timeout will be set at a realistic time agreed upon. The firewall will be set in a way that it prevents HTTP threads from initiating for attack packets (Manning, 2015).

            The most cost-effective way to prevent cyber-attacks is creating awareness among the employees. For example about 50% of US companies organize training for its employees on cyber security (Manning, 2015).It is important to know that cyber-attacks can take place by a cyber attacker accessing to a laptop belonging to a worker. That is why it is important for companies to have security training for its employees, this is compulsory before a newly recruited employees access to the data. The current employees will also be trained and are required to undergo the training twice a year.

            Using tools such as Wireshark will detect malicious activity. The only approach to security in this era of frequent cyber attack is by remaining updated. The IDS will show suspicious activity and alert for the selected activity.

            The user security is crucial, whether a salesperson or a client, personal data must be protected to the latter using authentication method (Manning, 2015). When accessing the company’s email a pin or fingerprint will be required for access. Every time a client wants to input new information, a sale rep must authenticate it using a fingerprint before allowing transmission.

       Understanding how the mobile application is will guarantee a brighter future for this organization; there is need for all the sales rep to have this app for ease marketing of the products. The program will be released in 3 tiers, beginning with the sales manager once tested for reliability as required by the operations oversight. The sales representatives will be given select users each from the manager’s team to test the app. The last release will be for all sales reps, the board’s decision will be important in the implementation of the application.

ReferencesTop of Form

In Kott, A., In Wang, C., & In Erbacher, R. F. (2014). Cyber Defense and Situational Awareness.

Loukas, G. (2015). Physical-Cyber Attacks. Cyber-Physical Attacks, 221-253. doi:10.1016/b978-0-12801290-1.00007-2

Manning, K. (2015) 8 Ways Businesses Can Prevent Cyber Attacks Retrieved from http://www.business2community.com/cybersecurity/8-ways-businesses-can-prevent-cyber-attacks-01251164#FITE6glddikY67Pv.99

National Institute of Standards and Technology (NIST). (2005). Guide to IPsec VPNs. U.S. Department of Commerce. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-77.pdf.

Phatak, P. (2016) Cyber Attacks Explained: Packing Spoofing. Retrieved from https://umuc.equella.ecollege.com/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://umuc.equella.ecollege.com/file/71aa74ac-8c33-4bca-a31e-06f626a6f443/1/CyberAttacksExplained_PacketSpoofing.pdf

Velu, V. K. (2016). Mobile Application Penetration Testing. Packt Publishing.

 Bottom of Form