From tricking people into revealing personal information (phishing) to shutting down entire computer systems, cybercriminals, it seems, can readily gain access to many individuals and systems. Attackers can steal identities, medical records, and more, but most often they want money. To protect yourself against cyberattacks, it's important to know the facts.
What is a cyberattack?
A cyberattack happens when an adversary or an attacker targets computer networks, systems, and infrastructures. These attacks are what Darren Lacey, chief information security officer for the Johns Hopkins University and Health System, says his team spends most of its time and money on.
In the past 10 years, the number of attacks on organizations such as Johns Hopkins has grown and become more sophisticated. According to Lacey, Johns Hopkins receives millions of security-related incidents a day, but the network firewall blocks a majority of these attacks. About 20 to 30 incidents are investigated daily.
Attacks, in general, can happen anywhere. "[Cybercriminals] will attack the slowest antelope in the herd," Lacey says. "So if you are a large enterprise and you're not doing your bit, not only will the attacks be more effective because you're not defending it, but you will get attacked more frequently because they will basically go wherever they think they can extract value."
Types of cyberattacks
Cyber criminals can launch their attacks in a variety of ways. Here are a few types of common attacks:
Phishing is an email scam that attempts to coax recipients into sharing their personal or financial information. Phishers often use fake websites or email messages that appear to be from trusted individuals, organizations, or brands in order to steal important information such as user names, passwords, credit card numbers, or Social Security numbers. Here at Johns Hopkins, these types of emails are sent almost daily to faculty and staff members. Some recent examples include emails asking recipients to click on links to review pay statements or to validate their accounts.
Malware, or malicious software, is computer code or software with intent to harm. It can describe a number of different types of attacks, including viruses, Trojan horses, worms, ransomware, spyware, and more. Often, this type of attack enters a system through a computer that is not up-to-date on its patches or through a downloaded attachment or software. These attacks have the capability to cause serious damage, such as stealing information or taking down a computer system. In the case of ransomware, the attacker encrypts or locks files and demands a ransom to release them.
Password attacks happen when a cybercriminal tries to crack a user's password to break into a computer system. Typically, these hackers use software on their own system to try to determine a user's passwords. One type of password attack is a brute-force attack, when an attacker uses a combination of numbers, letters, and characters to figure out a password.
How can you protect yourself?
Because Johns Hopkins is the target of attacks on a regular basis, "our muscles are pretty well-toned," Lacey says. When an attack happens, "it's unlikely we'll be asleep at the switch." While he admits mistakes are possible, Lacey promises that his team will pay attention and adjust rapidly to the ever-changing cybersecurity world.
Faculty and staff members can also do their part to prevent cyberattacks by being mindful of their cyber interactions. Here are a few tips:
- Avoid opening unexpected email attachments, even if you know the sender.
- Do not respond to online requests for personally identifiable information. Most organizations, including Johns Hopkins, will not ask for this information through the internet.
- Change your passwords on a regular basis and ensure they only have meaning to you.
- At home, make sure your computer is patched with antivirus software.
- When in doubt, trust your instincts. If an offer looks too good to be true, you are probably right.
Lacey also suggests that while taking steps to protect yourself is important, he warns about being overly paranoid and points to studies that show that thinking too much about cybersecurity can have a negative impact on your actual security and well-being. "You can get information overload, where you start to realize there's nothing [you] can do, and you stop making good decisions."
For more information on cybersecurity and for additional tips to protect yourself, visit the Department of Homeland Security's cyber incident web page.
Go to the CEPAR website for more stories from the Hopkins on Alert newsletter, where this article first appeared.