IPA/ISEC：Vulnerabilities：IS White Paper 2010,　Part 2 “10 Major Security Threats” Released

Jun 7, 2010
>> JAPANESE

This document was compiled by the "10 Major Security Threats Authors' Committee (See Page 35 in this document)" consisting of 120 people, including those participating in the "Information Security Early Warning Partnership ^(*1)", information security researchers and those responsible for information security in enterprises/organizations, and is based on computer virus/unauthorized computer access/vulnerability information reported to IPA as well as the information released to the public on the Internet and other media. Since 2005, IPA has been releasing it once a year and this year marks the sixth publication.

In 2009, various information-network-related incidents occurred, including the ones caused by an attack method called "Gumblar". In one case of the Gumblar-related incidents,user IDs and passwords for a Website were stolen from the contracted site operator, which highlighted the need for comprehensive security countermeasures covering both contracting and contracted parties. Enterprises should recognize that such efforts were needed from the beginning and should take appropriate security countermeasures accordingly.

On the other hand, there was a report on an "internal crime" in which information was stolen in a leading company, resulting in the estimated loss of about 7 billion. In the case of internal crime, the probability of important information being stolen is higher than that of an attack from outside. In order to protect important information, it is important to implement system access control as well as physical access control for those entering or leaving the facility containing such information.

To implement these security measures, you need to analyze potential business impacts on your organization that might be caused by the existing threats. Security countermeasures have two major aspects: "proactive measures" and "incident response". The former addresses preventing security incidents (or accidents), minimizing damages, and thus ensuring business continuity; the latter addresses minimizing the damages caused by the incident (or accident) that has happened and making a quick recovery.

This document is organized as follows:
Chapter One – looks at the business impacts on organizations that were caused by the actual security threats during the year 2009
Chapter Two - outlines 10 major security threats for the year 2010, compiled from the threats to the secure use of the Internet that arose in the year 2009 from the aspect of "making a strong impression" and "having a significant impact on the society."
Chapter Three – presents proactive measures against, and incident response to, the 10 major security threats from the standpoint of corporate managers and system administrators/developers.

This document is due to be released as the "Information Security White Paper 2010 Part 2," which is scheduled to be published in the first half of 2010. We hope this document will help you understand the situation surrounding information security and work out measures to be taken. You can down load and refer to the PDF file for this document at the following Website:

This document can be downloaded at:
http://www.ipa.go.jp/security/english/third.html

Footnote

(*1)Information Security Early Warning Partnership, a public-private partnership framework pursuant to the METI Directive #235, 2004, has been established to promote software product and web site security and prevent the damage to spread to the vast range of computers due to computer viruses or unauthorized access.

Contact