CTF Challenge #3: Spot the Essential Eight Gap Before the Auditor Does

Difficulty: Beginner–Intermediate | Reading time: 8 minutes | Product tie-in: Essential Eight Assessment Kit ($47)​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

TL;DR

  • The ASD Essential Eight is Australia's baseline cybersecurity framework — not optional for government suppliers and increasingly expected by enterprise clients
  • This challenge presents a real business environment and asks you to identify which Essential Eight controls are missing or misconfigured
  • Missing even one control at Maturity Level 1 is enough to fail a supplier audit
  • The lil.business Essential Eight Assessment Kit gives you the exact gap analysis tool to find your current level

The Setup: Bluewater Conveyancing

Bluewater Conveyancing is a 12-person legal conveyancing firm in Brisbane. They have recently started working with a state government housing agency and have been asked to demonstrate compliance with the ASD Essential Eight at Maturity Level 1 as a condition of the contract.

Their IT setup:​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

  • Windows 11 workstations (mixed — some still on Windows 10)
  • Microso ft 365 for email and documents
  • Xero for accounting
  • A local NAS drive for document storage (no off-site backup)
  • One administrator account that multiple staff know the password to
  • Staff can install software from the internet freely
  • Microsoft Defender is enabled but not centrally managed
  • Multi-Factor Authentication is enabled on Microsoft 365 for admins only
  • No formal patch management process — "we update when Windows prompts us"

The Challenge: 8 Controls, 8 Questions

The ASD Essential Eight defines eight controls [1]. For each one, assess whether Bluewater Conveyancing is compliant, partially compliant, or non-compliant at Maturity Level 1.

Control 1: Application Control

Bluewater staff can download and install any application from the internet without approval. Staff have local administrator privileges.

Is this Essential Eight compliant at ML1?

A) Compliant — Microsoft Defender scans downloads
B) Non-compliant — ML1 requires that only approved applications can execute on workstations
C) Partially compliant — personal use is fine, the issue is only business-critical machines
D) Not applicable — Application Control only applies to servers

Control 2: Patch Applications

Bluewater applies patches "when Windows prompts." There is no formal schedule. Some workstations are 45 days behind on patches.

Is this Essential Eight compliant at ML1?

A) Compliant — updating when prompted meets the spirit of the requirement
B) Non-compliant — ML1 requires patches for internet-facing services within 48 hours of release if a vulnerability is rated critical, and other patches within one month [1]
C) Partially compliant — personal workstations are fine to patch late; only servers matter
D) Compliant if the delayed patches don't have known public exploits

Control 3: Configure Microsoft Office Macro Settings

Bluewater uses Microsoft 365. Macros are currently enabled for all users by default because one staff member uses an old Excel macro for timesheet calculations.

Is this Essential Eight compliant at ML1?

A) Compliant — macros are a legitimate business tool
B) Non-compliant — ML1 requires macros to be blocked unless they are from a trusted publisher or digitally signed with a certificate trusted by the organisation [1]
C) Partially compliant — disabling macros for most users while allowing one is acceptable
D) Office macros are no longer an Essential Eight control as of the 2023 update

Control 4: User Application Hardening

Bluewater uses the default Microsoft 365 and browser configuration. Web browser plugins are unrestricted. No browser hardening has been applied.

Is this Essential Eight compliant at ML1?

A) Compliant — Microsoft's default configurations are sufficiently hardened
B) Non-compliant — ML1 requires web browsers to block ads and prevent running Java from the internet, and that unneeded browser extensions are disabled [1]
C) Partially compliant — default configs are close enough to pass a spot audit
D) Not applicable — browser hardening is only required for ML2 and above

Control 5: Restrict Administrative Privileges

One administrator account exists and multiple staff know the password. It is used for software installation, config changes, and sometimes email.

Is this Essential Eight compliant at ML1?

A) Compliant — having one shared admin account is better than everyone having admin
B) Non-compliant — ML1 requires that privileged accounts are not used for email and web browsing, and that privilege is only granted when needed for a specific task [1]
C) Partially compliant — the password is strong, which compensates for shared use
D) Compliant — shared admin accounts are common in SMBs and accepted at ML1

Control 6: Patch Operating Systems

Some Bluewater workstations are still running Windows 10. Windows 10 mainstream support ended in October 2025. No OS patch management schedule exists.

Is this Essential Eight compliant at ML1?

A) Compliant — Windows 10 still receives security patches through extended support
B) Non-compliant — ML1 requires that operating systems are no longer "end of life" and that OS patches are applied within one month of release [1]
C) Partially compliant — only internet-facing systems need to be up to date
D) Compliant — the Essential Eight patch control applies to applications, not OS versions

Control 7: Multi-Factor Authentication

MFA is enabled on Microsoft 365 but only for admin accounts. Standard user accounts use password only.

Is this Essential Eight compliant at ML1?

A) Compliant — protecting admin accounts is the priority, and that is done
B) Non-compliant — ML1 requires MFA for all users accessing online services, including Microsoft 365 [1]
C) Partially compliant — admin MFA is the most important, staff accounts can follow
D) Compliant — staff accounts have complex passwords which achieve the same outcome

Control 8: Regular Backups

Bluewater backs up to a local NAS drive mounted as a network share. The last off-site or offline copy is unknown. Backups have never been tested.

Is this Essential Eight compliant at ML1?

A) Compliant — daily local backups meet the requirement
B) Non-compliant — ML1 requires that backups are retained for at least three months, tested for restoration, and disconnected from production systems [1]
C) Partially compliant — daily frequency is fine, testing is optional at ML1
D) Compliant — cloud-synced files (OneDrive) provide adequate redundancy

The Answers

Every single control is non-compliant or partially compliant.

Bluewater Conveyancing would fail an Essential Eight Maturity Level 1 assessment on all eight controls.

  1. Application Control — Non-compliant. Free software installs = unapproved execution allowed.
  2. Patch Applications — Non-compliant. 45 days behind on patches; ML1 requires critical patches within 48 hours.
  3. Macro Settings — Non-compliant. Macros enabled globally; ML1 requires trusted-publisher restriction.
  4. Application Hardening — Non-compliant. Default browser config doesn't meet ML1 hardening requirements.
  5. Restrict Admin Privileges — Non-compliant. Shared admin accounts used for email = direct violation.
  6. Patch Operating Systems — Non-compliant. End-of-life Windows 10 machines; no patch schedule.
  7. MFA — Non-compliant. MFA required for all users at ML1, not just admins.
  8. Backups — Non-compliant. Mounted network backup with no offline copy = one ransomware from zero backups.

What This Means for a Real Business

A firm in this state submitting to a government supplier audit would be immediately disqualified. The fixes are not technically complex — they are primarily configuration and process changes. But without a baseline assessment, businesses don't know where their gaps are.

The lil.business Essential Eight Assessment Kit gives you a structured gap analysis tool: a pre-built questionnaire covering all eight controls across all four maturity levels, with remediation guidance mapped to each finding. Designed for businesses without a dedicated security team.

$47 — Get the Essential Eight Assessment Kit

FAQ

The Essential Eight is mandatory for Commonwealth government entities. For private sector businesses, it is a strong expectation when supplying to government, and increasingly appears as a vendor qualification requirement in enterprise procurement. It is also the basis for many cyber insurance assessments in Australia.

Maturity Level 1 provides basic protections against opportunistic attacks. ML2 adds protections against more targeted threats. ML3 is designed to protect against sophisticated, persistent adversaries. Most SMBs should target ML1 as a baseline and ML2 if they hold sensitive data or supply to government.

For a 10–20 person business using Microsoft 365, implementing the Essential Eight at ML1 typically takes 2–4 weeks of IT effort. The most time-consuming controls are Application Control configuration and MFA rollout to all users. Patch management and backup changes can be made in a day.

The first step is a gap analysis against all eight controls at each maturity level. The lil.business Essential Eight Assessment Kit provides a structured questionnaire that maps your current environment to the ASD Essential Eight criteria and identifies your maturity level and priority gaps.

References

[1] Australian Signals Directorate, "Essential Eight Maturity Model," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

[2] Australian Government, "Protective Security Policy Framework," PSPF, 2024. [Online]. Available: https://www.protectivesecurity.gov.au/

[3] ACSC, "Small Business Cyber Security Guide," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security-guide

[4] NIST, "Cybersecurity Framework 2.0," NIST, 2024. [Online]. Available: https://www.nist.gov/cyberframework

Don't guess your maturity level — measure it. The lil.business Essential Eight Assessment Kit gives you the exact gap analysis tool — $47, instant download.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation