Font Size Change

HOMEIT SecurityMeasures for Information Security Vulnerabilities“10 Major Security Threats 2015“


IT Security

“10 Major Security Threats 2015“

September 29, 2015

This report picks up and ranks ten security threats that had a big impact on the society in Japan in 2014 based on the expertise and insights of the 10 Major Security Threats Committee, which consists of about 100 information security experts.

It has 3 chapters:

  • Chapter 1: Basic Security Measures
    Trending threats change every year, but the goals of information security and basic security measures do not change much. Chapter 1 addresses examples of such basic security controls that individuals and organizations should heed to.
  • Chapter 2: 10 Major Security Threats 2015
    Chapter 2 presents the ranking and description of the 10 major security threats observed in 2014 selected by the 10 Major Security Threats Committee.
  • Chapter 3: Challenges and Concerns
    Chapter 3 introduces some challenges and concerns that could potentially have a big impact on the society and would grow into more apparent threats in the near future.

IPA hopes this report will help the public understand the situation surrounding information security these days and take necessary action, and be leveraged in education programs or security training at companies and organizations.

Download the Report:

10 Major Security Threats 2015
~ What should you do to avoid damage from cyber attacks? ~

Summary of the 10 Major Security Threats (Chapter 2)

The Secected 10 Major Security Threats observed in 2014 are listed below:

1st: Unauthorized use of Internet banking credential and credit card information

Attackers stole Internet banking credentials and credit card data by virus or phishing, and used the data to make fraudulent wire transfers fraudulent charges impersonating the users. In 2014, there has been a significant increase in fraudulent wire transfers exploiting business accounts.
pic. 1st

2nd: Information Leakage by Insiders

Incidents where a contractor working at a big company stole the sensitive data and sold it to the third parties became a social problem. If an insider decides to do something malicious, he or she can freely do so within his or her privileges. Therefore, it is necessary to continuously manage and monitor the user accounts strictly, for example, implementing strict access control based on the importance of the data, and deleting the users’ privilege when they quit.
pic. 2nd

3rd: Cyber Espionage through Targeted Attacks

Targeted attacks that remotely control a PC infected with virus and steal internal data have continued to prey on public and private organizations. In 2014, it is confirmed that their tactics became further adept – attackers using the targets’ real business partners and organizations associated with them in a way as a stepping stone to infiltrate the targets.
pic. 3rd

4th: Unauthorized Use of Web Services

If a user’s ID and password are stolen by an attacker, the attacker can log in to the web services spoofing the user. In 2014, there were a number of cases where the user IDs and passwords were stolen from vulnerable web services and abused for unauthorized access to other web services. Those who were using the same ID and password for multiple web services often became the victims.
pic. 4th

5th: Leakage of User Information from Web Services

Cyber incidents where customer information such as name and address were stolen from web services occurred frequently. If the stolen information includes data like ID, password and credit card data, it could cause a wide range of impact, such as unauthorized login and monetary damages.
pic. 5th

6th: Cyber Terrorism by Hacker Collectives

In 2014, a U.S. entertainment giant was attacked and suffered from information leak and services suspension. In South Korea, internal data was stolen from a nuclear plant operator and disclosed online. Because the attackers claimed responsibility and/or disclosed stolen data to the public in these cases, the incidents gave a big impact on the society.
pic. 6th

7th: Website Hacking

There have been many website hacks. The websites of companies and organizations have been hacked in such a way that just accessing a hacked website will infect the visitor’s PC with virus. If hacked, not only companies and organizations themselves will suffer damage (service outage until fully recovered), but also their website visitors may suffer damage (infected with virus).
pic. 7th

8th: Attacks That Exploit Internet Infrastructure Technologies

Services provided on the Internet are built upon trust in the underlying Internet infrastructure technologies, such as DNS and digital certificates. In 2014, the attacks that exploited these technologies to redirect the users to malicious websites emerged. Because such attacks are difficult for the general Internet users to detect and prevent, the Internet service providers are strongly expected to take counter actions.
pic. 8th

9th: Attacks That Leverage Response Time Lag After Vulnerability Disclosure

In 2014, the vulnerabilities in popular software, such as Apache Struts, OpenSSL and bash, were disclosed in a row, and many attacks targeting them were observed. The users – both system administrators and general users - need to take action as soon as possible as to whether or not they are using the software affected by disclosed vulnerabilities, attacks trying to exploit them already exist, how much they would affect your business or digital life.
pic. 9th

10th: Malicious Smartphone Applications

Malicious smartphone applications that look cool and sound convenient may steal personal data, such as address book data, without the user noticing. Stolen data may be exploited for spamming and/or fraud, causing damage for friends and acquaintances.
pic. 10th


IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)