Universities are paired off and spend a week attacking each other using an internal team of staff and students to uncover vulnerabilities in processes, policies, procedures, technology infrastructure and digital footprint. Teams typically spend two days checking out what’s most important to the opposition (sensitive research, for example) and the remainder of the week working out how to cause the most damage.
Using open source intelligence and social engineering techniques, the hackers perform a controlled simulation of an attack with clear legal boundaries. The winning team is the one that would have made the most negative impact.
Once all 20 universities have been tested, the data will be collated and Jisc will share information on the UK HE sector’s common vulnerabilities.
Exercise Mercury aims to benchmark security in the HE sector and share the resulting information for the benefit of all.
Jisc’s director of security, Steve Kennett, said: “Through our relationships with security agencies, such as the National Cyber Security Centre, Jisc is doing all it can to collate and share intelligence on cyber attacks for its members. This competition will provide even more valuable information. We hope it will give us a better idea of the actual security landscape in higher education.”
Professor Rain Ottis, head of the centre for digital forensics and cyber security at Tallinn University of Technology, Estonia, said “The only losers from this exercise will be wannabe attackers as it will reduce exposure to vulnerabilities.”
For more information or to sign up to take part, visit www.exercisemercury.eu/en