Universities cyber attack each other to test defences
Twenty UK universities have signed up to take part in a cyber attack exercise that aims to expose weak spots in their systems that could be exploited by illegal hackers.
Named Exercise Mercury, the competition is aimed at benchmarking a security posture in the higher education sector and providing information that can be shared for the benefit of the whole sector.
It was developed at Tallinn University of Technology in Estonia and Cambridge University and is being supported by Jisc, the not-for-profit provider of technology solutions for higher education and research in the UK.
Universities are paired off and each spends a week ‘attacking’ the other using an internal team of staff and students to uncover vulnerabilities in processes, policies, procedures, technology infrastructure and the digital footprint.
Teams typically spend two days checking out what is most important to the opposition (sensitive research, for example) and the remainder of the week working out how to cause the most damage. Using open source intelligence and social engineering techniques, the hackers perform a controlled simulation of an attack with clear legal boundaries.
The winning team is the one that would have made the most negative impact.
The exercise began late last year, and once all 20 universities have been tested, which will take about six months, the data will be collated and information on common vulnerabilities shared throughout the UK higher education sector by Jisc.
Sharing intelligence
Its director of security, Steve Kennett, said: “Through our relationships with security agencies such as the National Cyber Security Centre, Jisc is doing all it can to collate and share intelligence on cyber attacks for its members and this excellent competition will provide even more valuable information. We hope it will give us a better idea of the actual security landscape in higher education.”
Kieren Lovell, a cyber security specialist at Tallinn University, said: “Although this is a fun exercise, the professional pride at stake adds a competitive element and means the teams are very motivated to get results.
“What we learn will help universities to protect themselves from hostile cyber actors, who are a growing problem for all organisations. It will also give university security staff invaluable experience in ethical hacking.”
Jisc runs the national research and education network Janet, which has in-built cyber security protection. The organisation also monitors the network for security incidents and, through various services and advice and supports its members in protecting their own cyber space.

Latest Jobs
-
- Security Auditor / 3rd Party Assurance. London. End user
- London
- 60000
-
Security Auditor / 3rd Party Assurance. London. End user The Security Auditor / 3rd Party Assurance role has two key functions. Manage the ongoing assessment of new and existing 3rd party suppliers to ensure they meet the internal policies / controls. (Reassessment etc) Internal Auditing across business to ensure various departemnt / operations are compliant and inline with internal ISMS etc. ISO 27001 internal audit experience, creation of audit reports experinece essential. This is an internal business so broad experience across a multiple technology environment (cloud and on prem) is highly desirable. MUST be able to engage and work with senior stakeholders in an often faced pace environment. ISO27001, NIST, CISSP, CISA Risk assessment experinece needed This is a permanent role.. Blend of technical and consultative approach needed. This role will require someone to travel to London a few days a week once lock down permits and their offices fully reopen. All details kept in confidence. Apply today to find out more.
-
- Security Auditor / 3rd Party Assurance. London. End user
- London
- 60000
-
Security Auditor / 3rd Party Assurance. London. End user The Security Auditor / 3rd Party Assurance role has two key functions. Manage the ongoing assessment of new and existing 3rd party suppliers to ensure they meet the internal policies / controls. (Reassessment etc) Internal Auditing across business to ensure various departemnt / operations are compliant and inline with internal ISMS etc. ISO 27001 internal audit experience, creation of audit reports experinece essential. This is an internal business so broad experience across a multiple technology environment (cloud and on prem) is highly desirable. MUST be able to engage and work with senior stakeholders in an often faced pace environment. ISO27001, NIST, CISSP, CISA Risk assessment experinece needed This is a permanent role.. Blend of technical and consultative approach needed. This role will require someone to travel to London a few days a week once lock down permits and their offices fully reopen. All details kept in confidence. Apply today to find out more.
-
- Head of Penetration Testing, UK based, Flexible location.
- United Kingdom
- Upto £100,000 plus excellent benefits
-
Head of Penetration Testing needed to join a security consultancy that are delivering client facing penetration testing services around Web app and Infrastructure. Looking for someone hands on that is able to manage a highly skilled technical team of testers. 50-60% of the time is expected to be hands on, other duties will include, but not be limited to; leading and managing the day to day running of the team, mentoring, team upskill, recruitment, reporting, escalation, process improvement etc. Flexible location although south east is preferred. Anyone with Check / CREST experience is highly desirable. MUST be able to achieve SC clearance. UK based role. All details kept in confidence.
-
- Technical Security Analyst. Immediate opportunity,
- Newcastle upon Tyne
- 48000
-
Technical Security Analyst. Immediate opportunity, Technical Security Analyst needed to join a specialist security team. This role will require travel into the office in a hybrid model once industry returns back to the working environment. The Security Analyst must be commutable to Newcastle upon Tyne. This is an Immediate opportunity. An essential requirement of the role is to be able to engage with internal stakeholders so a blend off technical hands on analytical and consultative communication skills. The role will include, but not be limited to; managing and handling incidents end to end, log review, incident analysis, escalation, vulnerability assessment, Automation, Malware Analysis, Threat intelligence, etc All details kept in confidence. https://calendly.com/chris-holt/call-with-chris-holt-dcl-search