See more in:
Preparedness Spotlight: What You Need to Know About Cybersecurity
From tricking people into revealing personal information (phishing) to shutting down entire computer systems, it seems cybercriminals can readily gain access to many individuals and systems. Attackers can steal identities, medical records and more, but most often, they want money. To protect yourself against cyberattacks, it’s important to know the facts.
What is a cyberattack?
A cyberattack happens when an adversary or an attacker targets computer networks, systems and infrastructures. These attacks are what Darren Lacey, chief information security officer for The Johns Hopkins University and Health System, says his team spends most of its time and money on. In the past 10 years, the number of attacks on organizations like Johns Hopkins has grown and become more sophisticated. According to Lacey, Johns Hopkins receives millions of security-related incidents a day, but the network firewall blocks a majority of these attacks. About 20 to 30 incidents are investigated daily.
Attackers, in general, can happen anywhere. “[Cybercriminals] will attack the slowest antelope in the herd,” says Lacey. “So if you are a large enterprise and you’re not doing your bit, not only will the attacks be more effective because you’re not defending it, but you will get attacked more frequently because they will basically go wherever they think they can extract value.”
Types of cyberattacks
Cybercriminals can launch their attacks in a variety of ways. Here are a few types of common attacks:
Phishing is an email scam that attempts to coax recipients into sharing their personal or financial information. Phishers often use fake websites or email messages that appear to be from trusted individuals, organizations or brands in order to steal important information, such as usernames, passwords, credit card numbers or Social Security numbers. Here at Johns Hopkins, these emails are sent almost daily to faculty and staff members. Some recent examples include emails asking recipients to click on links to review pay statements or validate their accounts.
Malware, or malicious software, is computer code or software with intent to harm. It can describe a number of different types of attacks, including viruses, Trojan horses, worms, ransomware, spyware and more. Often, this type of attack enters a system through a computer that is not up to date on its patches or through a downloaded attachment or software. These attacks have the capability to cause serious damage, whether it’s stealing information or taking down a computer system. In the case of ransomware, the attacker encrypts or locks files and demands a ransom to release them.
Password attacks happen when a cybercriminal tries to crack a user’s password to break into a computer system. Typically, these hackers use software on their own system to try to determine a user’s passwords. One type of password attack is a brute-force attack, when an attacker uses a combination of numbers, letters and characters to figure out a password.
How can you protect yourself?
Because Johns Hopkins is the target of attacks on a regular basis, Lacey says, “Our muscles are pretty well-toned.” When an attack happens, he adds, “It’s unlikely we’ll be asleep at the switch.” While he admits mistakes are possible, Lacey promises that his team will pay attention and adjust rapidly to the ever-changing cybersecurity world.
Faculty and staff members can also do their part to prevent cyberattacks by being mindful of their cyber interactions. Here are a few tips:
Lacey also suggests that while taking steps to protect yourself is important, he warns about being overly paranoid and points to studies that show thinking too much about cybersecurity can have a negative impact on your actual cybersecurity and well-being. “You can get information overload, where you start to realize there’s nothing I can do, and you stop making good decisions.”
For more information on cybersecurity and additional tips to protect yourself, visit the Department of Homeland Security’s cyber incident webpage.