CTF Challenge #10: The Final Boss — Full Security Audit of a Real SMB Environment

Difficulty: Advanced | Reading time: 12 minutes | Product tie-in: Security Foundations Bundle ($497)

TL;DR

  • This is the capstone challenge: a complete security audit of a 50-person SMB across 10 security domains
  • Find all 10 critical gaps hidden in the scenario — each represents a real-world issue that causes breaches
  • Scoring 8+ means you have strong security intuition and are ready to run a real security program
  • The lil.business Security Foundations Bundle gives you every tool needed to run this audit on your own business

The Final Boss Scenario: Meridian Group

Meridian Group is a 50-person managed services provider (MSP) based in Sydney. They manage IT for 22 client businesses, holding privileged access to client networks. They have been operating for 11 years and have never had a "significant" security incident — though they have no incident log to confirm this.

A new CTO has asked for an honest assessment. You have been given full access for one week.

Your job: find the 10 critical security gaps hidden in this environment description.

The Environment

Domain 1: Identity and Access Management

  • All staff have one Microsoft 365 account
  • MFA is enabled for all staff on Microsoft 365
  • The shared IT admin account [email protected] has a shared password known to all 7 IT staff
  • Service accounts used for client work are not documented; passwords are stored in a shared Notepad file on the file server
  • Two former IT staff still have active Azure AD accounts (departed 60 and 90 days ago)

Domain 2: Network Security

  • Cisco Meraki firewalls deployed at the office
  • Guest Wi-Fi is segmented from the corporate network
  • Client VPN connections originate from Meridian's office IP — the same IP used for all staff internet browsing
  • The network monitoring dashboard hasn't been checked in 45 days
  • One 8-year-old Cisco switch with end-of-life firmware in the comms room

Domain 3: Endpoint Security

  • Microsoft Defender for Business deployed on all Windows endpoints
  • Security alerts from Defender are emailed to [email protected] — a shared inbox nobody actively monitors
  • Two staff have personal MacBooks they use for some client work — not enrolled in MDM
  • Software update policy: "automatic updates" enabled
  • No application control or allowlisting

Domain 4: Data Management

  • Client data is stored in a shared drive on the file server: folder permissions are set by client name but all IT staff have access to all client folders
  • No data classification policy
  • Client credentials (admin passwords, API keys) are stored in a shared KeePass database with one password known to all IT staff
  • Backup: daily incremental to Wasabi cloud storage
  • No data retention or destruction policy

Domain 5: Vulnerability Management

  • Annual external penetration test from a reputable firm
  • Penetration test findings from 12 months ago: 3 medium findings still open
  • Windows Update managed by Microsoft Defender for Business
  • Last internal vulnerability scan: never conducted
  • Third-party software (Adobe, Chrome, Zoom) updated manually "when staff notice prompts"

Domain 6: Supplier and Client Access Management

  • Meridian holds privileged access (domain admin in most cases) to 22 client environments
  • Access is via shared local admin accounts — not per-technician accounts
  • No access log for client environment actions
  • Client access credentials stored in the same shared KeePass database as Meridian's own credentials
  • No formal offboarding process for client access when client contracts end (2 former clients still accessible)

Domain 7: Security Policies and Documentation

  • Acceptable Use Policy (AUP) exists — last updated 2021 (outdated)
  • No information security policy
  • No change management policy
  • No asset inventory — rough spreadsheet exists but is 18 months out of date
  • Staff told "if you're not sure, ask IT" — no formal escalation path

Domain 8: Security Awareness

  • No security awareness training program
  • Phishing simulation: never conducted
  • Staff onboarding includes "a quick chat about passwords"
  • One incident last year: staff member received a phishing email from a compromised client and forwarded it internally — no formal response

Domain 9: Incident Response

  • No incident response plan
  • The one security event last year was handled ad-hoc via Slack
  • No forensics capability or log retention policy
  • Logs retained for 7 days (Defender, firewall, O365)
  • No insurance policy covering cyber incidents

Domain 10: Business Continuity

  • Backup tested quarterly
  • Recovery time objective: undocumented
  • No disaster recovery plan
  • Office has a generator for power outages
  • No documented BCP covering staff availability, communication, or alternate work arrangements

The Challenge

Identify the 10 most critical security gaps across this environment.

Write down your list before reading the answers.

Each gap should name:

  1. The domain
  2. The specific issue
  3. Why it is critical (not just "bad practice")

The 10 Critical Gaps

Gap 1: Shared Privileged Accounts with No Individual Accountability (Domain 1 + Domain 6)

The shared sysadmin account and shared client access accounts mean that when (not if) a privileged action causes harm — intentional or accidental — there is no way to attribute it to an individual. For an MSP holding domain admin in 22 client environments, this is a single-point-of-catastrophic-failure. One malicious or negligent IT staff member can take down all 22 clients and there will be no audit trail. This is the most critical gap.

Gap 2: Former IT Staff with Active Accounts + Former Client Access Still Live (Domain 1 + Domain 6)

Two former IT staff have active Azure AD accounts 60–90 days post-departure. Two former clients are still accessible. If a departed staff member retained the shared KeePass password and also has their Azure AD account active, they have full access to 22 client environments. This is both an immediate breach risk and a legal liability.

Gap 3: Unmonitored Security Alerts (Domain 3)

Microsoft Defender for Business is generating security alerts to a shared inbox nobody monitors. This is equivalent to having a fire alarm and disabling the bell. Endpoint detection capability is in place but has zero value if alerts are never reviewed. One unreviewed alert could be the early warning of a ransomware deployment in progress.

Gap 4: Open Penetration Test Findings (Domain 5)

Three medium findings from the annual penetration test are still open 12 months later. A penetration test that generates findings that are never remediated is an expensive waste of money — and a legal liability. If a breach occurs via one of those known vulnerabilities, the documented evidence of awareness without remediation is a negligence argument in litigation.

Gap 5: No Per-Technician Access Logging for Client Environments (Domain 6)

Meridian holds privileged access to 22 client environments with no individual accountability and no audit log of actions taken. If a client alleges that an action taken in their environment caused harm, Meridian has no forensic record to demonstrate what was done, when, and by whom. For a business whose entire value proposition is trusted access, this is an existential liability.

Gap 6: Client and Own Credentials in the Same Shared Credential Store (Domain 4 + Domain 6)

Client admin passwords and Meridian's own credentials are in the same KeePass database with a single shared password. If that password is compromised — via phishing, shoulder surfing, or a departing staff member — an attacker gets simultaneous access to Meridian's internal systems AND all 22 client environments. Credential separation between internal and client systems is fundamental for MSPs.

Gap 7: Personal Devices Accessing Client Work Without MDM Enrollment (Domain 3)

Two staff use personal MacBooks for client work. These devices are not enrolled in Mobile Device Management, meaning no security baseline enforcement, no remote wipe capability, no visibility into installed software. A compromise of a personal device could directly pivot to client environments through stored credentials or active VPN sessions.

Gap 8: No Incident Response Plan + 7-Day Log Retention (Domain 9)

There is no incident response plan and logs are retained for only 7 days. During a real incident — especially one involving client environments — a forensic investigation requires log data from weeks or months before the incident was detected. NIST incident response guidance recommends a minimum 90-day retention for security-relevant logs [1]. Seven days means Meridian cannot forensically investigate any incident they detect more than a week after the intrusion.

Gap 9: No Security Awareness Training + No Formal Escalation Path (Domain 8 + Domain 7)

Staff have no training and no documented escalation path for suspicious activity. The phishing event last year — where a staff member forwarded a phishing email internally rather than reporting it — demonstrates this gap exactly. In an MSP context, a single staff member clicking a phishing email can cascade into all 22 client environments.

Gap 10: No Cyber Insurance (Domain 9 + Domain 10)

Meridian holds privileged access to 22 client environments and has no cyber insurance. A single ransomware event in a client environment with a forensic investigation tracing the breach to a Meridian access path could result in multi-million dollar liability claims. Cyber insurance for an MSP covers both first-party costs and third-party liability.

Scoring

8–10 gaps found: You think like a security professional. You understand that gaps are systemic, not just technical.

5–7 gaps found: Strong security awareness. You caught the obvious issues but may have missed the MSP-specific risks in domains 6 and the credential separation issue.

3–4 gaps found: You found the visible problems but missed the compounding ones. The shared credential store + former access + no audit log combination is the kind of gap that doesn't look dangerous until it is.

0–2 gaps found: Start with challenges 1–9 in this series, then come back to this one.

The Full Picture

Most of the gaps above would be visible within the first 2–3 days of a structured security review. The problem isn't that Meridian's team is incompetent — it's that nobody ran a systematic assessment. Security gaps accumulate through growth, not negligence.

The lil.business Security Foundations Bundle gives you every tool in the series in one package:

  • CISO-in-a-Box: 90-day roadmap and policy templates
  • Essential Eight Assessment Kit: Gap analysis across all 8 controls
  • Security Foundations Checklist: Rapid assessment tool covering 10 domains
  • 60-minute consultation: A direct session with Monster to review your results and prioritise your top 3 actions

This is the complete starting point for a business that is serious about securing what they've built.

$497 — Get the Security Foundations Bundle

FAQ

The most common and most dangerous MSP security failure is using shared privileged accounts with no per-technician accountability. When an MSP holds domain admin access across dozens of client environments through shared accounts with no audit logging, a single compromised employee — or a single disgruntled one — can cause simultaneous catastrophic damage to every client. The MOVEit breach of 2023 demonstrated exactly this at scale.

When an MSP is breached, attackers typically use the MSP's privileged access as a pivot point into every client environment they can reach. The SolarWinds and Kaseya incidents showed this: a single trusted access point becomes an attack multiplier across dozens or hundreds of organisations. Clients of an MSP share the MSP's security posture whether they know it or not.

A minimum of 90 days for security-relevant logs (authentication, privileged access, firewall, endpoint alerts) is the NIST recommendation [1]. For MSPs with access to client environments, 12 months is better practice — breach investigations often require tracing activity from months before detection. Cloud-based SIEM solutions make this practical and affordable even for smaller MSPs.

Complete a structured gap assessment before spending anything on tools or services. Understanding where your actual gaps are — versus where you assume they are — determines whether your security investment will have real impact. The lil.business Security Foundations Checklist is designed as that first assessment: a rapid, domain-by-domain review that takes 2–3 hours and produces a prioritised list of actions.

References

[1] NIST, "SP 800-92: Guide to Computer Security Log Management," NIST, 2006 (guidelines still referenced). [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

[2] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[3] CISA, "MSP Cybersecurity Guidance," CISA, 2024. [Online]. Available: https://www.cisa.gov/sites/default/files/publications/CISA_MSP_Guidance.pdf

[4] Australian Signals Directorate, "Securing Managed Service Providers," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-managing-cloud/managed-services/securing-managed-service-providers

[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Ready to run this audit on your own business? The lil.business Security Foundations Bundle — everything you need, plus a 60-minute consultation — $497.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation