Twenty UK universities have signed up to take part in a cyber attacking exercise that aims to expose weak spots in their systems which could be exploited by illegal hackers.
The competition, called Exercise Mercury, aims, for the first time, to benchmark security posture in higher education and to share the resulting information for the benefit of the whole sector.
Universities are paired off and each spends a week “attacking” the other using an internal team of staff and students to uncover vulnerabilities in processes, policies, procedures, technology infrastructure and the digital footprint.
Teams typically spend two days checking out what’s most important to the opposition (sensitive research, for example) and the remainder of the week working out how to cause the most damage. Using open source intelligence and social engineering techniques, the “hackers” perform a controlled simulation of an attack with clear legal boundaries. The winning team is the one that would have made the most negative impact.
Exercise Mercury, which is free for all participants, was launched at the Jisc cyber security conference in November 2018 by keynote speaker, Kieren Lovell, a communications and cyber security expert. Kieren has a military background, but was, until summer 2018, working for the University of Cambridge, and has since moved to Tallinn University of Technology in Estonia.
Once all 20 universities have been tested, which will take about six months, the data will be collated and information on common vulnerabilities shared throughout the UK higher education sector by Jisc, which is supporting the competition. Jisc provides cyber security protection for members' connections to the Janet Network, and helps universities to protect their own cyber space.
Kieren Lovell said:
“Although this is a fun exercise, the professional pride at stake adds a competitive element and means the teams are very motivated to get results. What we learn will help universities to protect themselves from hostile cyber actors, who are a growing problem for all organisations. It will also give university security staff invaluable experience in ethical hacking.”
Jisc’s director of security, Steve Kennett, added:
“Through our relationships with security agencies such as the National Cyber Security Centre, Jisc is doing all it can to collate and share intelligence on cyber attacks for its members and this excellent competition will provide even more valuable information. We hope it will give us a better idea of the actual security landscape in higher education.”
And Professor Rain Ottis, head of the centre for digital forensics and cyber security at Tallinn University of Technology, Estonia, said:
“This truly is a win-win situation. The only losers from this exercise will be wannabe attackers, as it will reduce exposure to vulnerabilities. It will also allow us to understand what the problems are within our industry, as well as providing international connections to better share proper threat data.”