How to conduct your own Essential Eight Maturity Level One Assessment.

Posted: December 4, 2023

Essential Eight Self-Assessment. A middle-aged IT Manager looks into a mirror and sees a variety of information security-related images surrounding his reflection.

The Australian Cyber Security Centre, part of the Australian Signals Directorate, has for several years now maintained a list of core strategies you can employ to reduce the risk of a successful cyberattack on your organisation. They’re called the Essential Eight and according to the ACSC, they could mitigate as much as 85% of all cyber attacks directed at your organisation.

That’s great news for those that have applied them, but how can you tell how well your organisation has implemented them and how secure you should feel as a result?

To answer that question, the ACSC has also developed the Essential Eight Maturity Assessment. It’s a framework for determining how close to the ideal state of security you are in your organisation, and creates a roadmap of activity you might wish to undertake, to step up your maturity level.

Typically, the assessment would be conducted by a security professional from a consultancy like Computer One. But if you are keen bootstrap your own improvement programme, we have created an easy-to-follow guide to help you conduct your own self-assessment against the parameters of Maturity Level One.

Maturity Level One primarily addresses threats from malicious actors who use readily available techniques and tools to infiltrate and potentially control systems. These actors often exploit known, unpatched vulnerabilities in online services or use compromised credentials. Their approach is generally opportunistic, targeting any accessible victim rather than specific entities. They commonly use social engineering to deceive users and weaken system security, and may launch harmful applications. If they access accounts with special privileges, they exploit these to their advantage. Depending on their goals, these actors might also destroy data, including backups.

Where do you start?

First, you have to understand what the Essential 8 strategies are. Here’s the brief version.

Patch Applications: Regularly update applications to fix identified security vulnerabilities.
Patch Operating Systems: Regularly update operating systems to thwart potential exploits.
Multi-Factor Authentication: Implement additional authentication methods to validate the identity of system users.
Restrict Administrative Privileges: Limit administrative powers to only those who need them and even then, only when necessary.
Application Control: Ensures only approved applications are allowed to execute inside your network.
Restrict Microsoft Office Macros: Limit the use of macros to reduce potential for malicious code.
User Application Hardening: Control the use of web browsers and PDF viewers to minimise risk.
Daily Backup of Important Data: Ensure data is backed up daily and is recoverable.

Then, you have to know there are three levels of maturity in the framework:

Maturity Level One: Partly aligned with the intent of the mitigation strategy.
Maturity Level Two: Mostly aligned with the intent.
Maturity Level Three: Fully aligned with the intent.

Then, you have to be honest with yourself about the level of evidence you are capable of gathering to support your assessment. The ACSC describes four levels of confidence in evidence you can use to support your assessment.

Excellent Evidence: Conducting a test with a simulated activity to confirm the efficacy of a control (example: running a trial application to assess application control rulesets).

Good Evidence: Inspecting a system’s configuration directly through its interface to evaluate its compliance with the expected policy.

Fair Evidence: Examining a duplicate of the system’s configuration (such as through reports or screen captures) to verify policy enforcement.

Poor Evidence: Relying on a written policy or verbal declaration of intent (example: referencing control measures in documentation or discussing controls in interviews with staff responsible for system security management is an arm’s length assessment of the control in action – there’s plenty of room for a disconnect between statement and action).

Pushing for the best form of evidence, and not allowing yourself to settle for written statements, will add extra credibility to your assessment.

Now you are ready to conduct your self-assessment against Level One.

Self-Assessment

The ACSC publishes a full description of what attributes mean your current posture falls into Level One, Two or Three on the framework. We have summarised them here, but you can find the full list at this page: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide

In the first instance, you must assess your organisation to Level 1, not skip ahead to Level Two or Three.

Why is that?

The framework is intended to deliver an overall number and it doesn’t matter if you are at Level 3 on some items if you are at Level 0 on others. All aspects of your organisation must conform to the relevant requirements (or compensating controls must be in place to offset the absence of a conforming control) to say that your organisation has a maturity level of one, two or three.

Here is how to assess each of the attributes related to the eight strategies against Maturity Level One, as at November 30, 2023, starting with Patching Applications.

Note that where specific brands and products are mentioned below it should not be taken as an explicit endorsement of any particular product or website by Computer One or the ASD / ACSC. Having said that, we do use some of the products below, specifically Microsoft security products and Airlock Digital.

Patch Applications

Contextual Notes

Vendors frequently update online services and applications to fix vulnerabilities. By comparing applications in use with the latest versions from vendors, one can check if they are up-to-date and how recent the updates are, using release dates and patch notes.

Resources like the SANS Internet Storm Centrev, Microsoft Security Response Centre, or the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalogue help assess vulnerability severity and the existence of working exploits.

Control	Assessment Guidance (Ordered by Effectiveness)
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.	– View a demonstration of the asset discovery method. – Verify recent scan dates and scope. – Check for unauthorised assets on the network. – Consider aligning asset discovery timing with vulnerability scans.
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.	– Review a vulnerability scan demonstration and confirm the scanner has all the online services known to be in use, in scope. – Confirm the database’s recent update (ideally within the previous 24 hours of the scan).
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in services.	– Review a vulnerability scan. – Review recent scans for date/time and scope. Confirm they are happening daily. – Ensure scanned services match known used services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.	– Review a vulnerability scan and confirm inclusion of all necessary applications. – Check previous scans for date/time and scanned applications to confirm frequency.
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.	– Use a network-based scanner to identify online services, their versions and install dates. Compare this information to release date of patches the determine if patching timeframe of 48 hours has been met. – Consider using tools such as Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. The ASD also provides several tools but you must be a network partner, or use one for your assessment, to access them. – Manually check versions if a scanner is unavailable.
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.	– Similar to critical vulnerability patching. – Use network-based scanning or manual checks. You can use the same E8MVT application to identify unpatched applications. – Consider the potential for overlooked or unknown services. An automated scanner is likely to deliver more exhaustive results.
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.	– Review the list of installed applications within ‘Programs and Features’. – Employ vulnerability scanners or PowerShell to further build out the list of installed applications. The ACSC offers a Powershell script that can be used to output installed applications with registered uninstall functionality. You can find it here. This list should be reviewed in conjunction with the list of installed applications within ‘Programs and Features’ to ensure no applications are missed. – Review installed applications against patch release dates. – For manual checks, demonstrate application versions and install dates.
Online services that are no longer supported by vendors are removed.	– Use vulnerability scanners to check for end-of-life services. – Review evidence of removal of unsupported services.
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.	– Assess using scanners for end-of-life status. – Demonstrate current versions and check against supported versions. – Verify Adobe Flash Player has been removed from the network.

Patch Operating Systems

Contextual Notes

Operating system vendors frequently issue updates to fix vulnerabilities. Unsupported systems, particularly those connected to the internet, are highly targeted by cyber attackers. While internal systems like workstations and non-internet-facing servers are less exposed, they still need timely patching to mitigate risks from sophisticated attacks.

Resources like the the SANS Internet Storm Centrev, Microsoft Security Response Centre, or the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalogue can help determine the urgency and severity of these vulnerabilities.

Control	Assessment Guidance (Ordered by Effectiveness)
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.	– Review the performance of the automated asset discovery tool. This may be a standalone tool or integrated with a vulnerability scanner. – Verify past asset discovery scans for frequency and coverage. – Consider aligning discovery scan frequency with vulnerability scans for efficiency. – Use asset discovery tool to spot any unauthorised assets connected to the system between scheduled scans and investigate them.
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.	– Witness and review the vulnerability scanning process. – Ensure you see evidence of the vulnerability database having been updated recently, preferably within the last 24 hours.
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.	– Review the process of daily vulnerability scanning and confirm it is taking place. – Acquire and review recent scan logs, focusing on timestamps and event details, looking to confirm the daily nature of the scan.
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.	– Review the process of the fortnightly scanning process and confirm it is taking place. – Acquire and review logs of recent scans, highlighting dates and coverage. Look for evidence of the fortnightly or sooner scan frequency.
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.	– Use a network-based vulnerability scanner to verify up-to-date operating systems. – There are several free tools available such as Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. The ASD also publishes a free tool, but it is only available to ASD partners like Computer One. – From the ASD site: If using Windows Server Update Services (WSUS) for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required). – Utilize WMIC or PowerShell to produce a list of hotfixes and when they were applied. This can then be compared to available patches for vulnerabilities that have been identified as critical by the vendor, or are currently being exploited, to determine whether all applicable hotfixes have been applied or not.
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.	– Same process as above – Use a network-based vulnerability scanner to verify up-to-date operating systems. – There are several free tools available such as Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. The ASD also publishes a free tool, but it is only available to ASD partners like Computer One. – From the ASD site: If using Windows Server Update Services (WSUS) for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required). – Utilize WMIC or PowerShell to produce a list of hotfixes and when they were applied. This can then be compared to available patches for vulnerabilities that have been identified as critical by the vendor, or are currently being exploited, to determine whether all applicable hotfixes have been applied or not.
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.	– As above – Use a network-based vulnerability scanner to verify up-to-date operating systems. – There are several free tools available such as Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. The ASD also publishes a free tool, but it is only available to ASD partners like Computer One. – A note from the ASD site: If using Windows Server Update Services (WSUS) for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required). – Utilize WMIC or PowerShell to produce a list of hotfixes and when they were applied. This can then be compared to available patches for vulnerabilities that have been identified as critical by the vendor, or are currently being exploited, to determine whether all applicable hotfixes have been applied or not.
Operating systems that are no longer supported by vendors are replaced.	– Utilize scanners to identify the OS version. – Use ‘winver’ command for Windows or ‘cat /etc/os-release’ for Linux to check OS versions. – Acquire screenshots of these outputs to compare with vendor support lists.

Multi-factor Authentication

Contextual Notes.

Multi-factor authentication significantly enhances security by making it harder for malicious actors to misuse credentials. It’s particularly effective against brute force attacks that can easily breach single-factor methods like passwords. At maturity level one, the focus is on securing online services with multi-factor authentication. The permitted forms include a combination of something the user has (like a device or OTP) and something they know (like a password).

Biometrics aren’t recommended due to their non-secretive nature and the fact that they are not exact, only probabilistic, but they can be used to unlock other authentication factors. While not excluded, methods prone to social engineering, such as SMS codes or push notifications, should be cautiously used.

Control	Assessment Guidance (Ordered by Effectiveness)
Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data.	– Test login to all the organisation’s services and observe if multiple factors (password, OTP) are needed whether they are presented at once or in sequence after the first is verified. – If you are assessing a less familiar department in the organisation, investigate for other non-disclosed internet-facing portals lacking MFA.
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data.	– Try logging into third-party services handling sensitive data and verify MFA presence. – If MFA is missing, verify if it is unavailable or simply unimplemented.
Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation’s non-sensitive data.	– Test login to the third-party services. – If MFA is not available, confirm with the provider if MFA is / is not an option.
Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process, store or communicate their organisation’s sensitive customer data.	– Attempt login to organisation’s customer services and check for MFA. – Confirm non-availability of MFA if not implemented.
Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation’s sensitive customer data.	– Log into third-party customer services with sensitive data to check MFA. – Confirm with vendor about MFA’s availability if absent.
Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.	– Test login to customer-facing online services for MFA presence. – Is multi-factor authentication set up as part of account creation or do users need to set it up themselves after initial account creation? The latter is riskier than the former if there’s a grace period where MFA is not enforced.
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.	– Discover and evaluate MFA implementations across different systems and services. – Differentiate between multi-step and multi-factor authentication. The latter is required to assess as Level One. – Compare and assess the security levels of various MFA methods (security keys, OTP devices, mobile apps, SMS codes).

Restriction of Administrative Privileges

Contextual Notes

Privileged access management in organisations should be well-documented and integrated into routine workflows. Access requests for systems, applications, and data should be formally made through a form, service desk ticket, or email and must receive approval from a supervisor or the respective owner.

Keeping a record of these requests and a list of all applications requiring privileged access is essential. Due to the high risk associated with privileged accounts, which are often targets for malicious actors, their internet, email, and web service access should be restricted and granted only under specific, necessary conditions.

Control	Assessment Guidance (Ordered by Effectiveness)
Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.	– Verify that privileged users have distinct privileged and unprivileged accounts, or if they use a single account for all tasks. The former is compliant and the latter is not.
Requests for privileged access to systems, applications and data repositories are validated when first requested.	– Request and review submitted forms, tickets, or emails for privileged access requests, endorsed by a supervisor or relevant owner. Compare these to actual privileged account access records to spot discrepancies that indicate the request process is not working as intended.
Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.	– Test for internet access as a privileged user and check internet proxy settings on the network to determine if it is configured to block traffic from privileged accounts. – Use PowerShell to examine email access for privileged accounts. You can find an example script here. – BloodHound can help identify overlooked privileged accounts that PowerShell may miss. – Verify if accounts, like those for cloud service management, have been permitted internet access through a formal application process.
Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.	– Discover and assess how access for privileged accounts authorised for online services, such as cloud management, is restricted from using other internet services. This principle is about separating privilege from general internet access.
Privileged users use separate privileged and unprivileged operating environments.	– Discuss the implementation of distinct privileged and unprivileged environments for system management. Note that at this level of Essential Eight maturity, there are no constraints on how this is to be implemented beyond establishing that separate privileged and unprivileged environments have been set up.
Unprivileged accounts cannot logon to privileged operating environments.	– Try logging into a privileged environment with a standard account. – Use BloodHound to check for any unprivileged accounts accessing privileged environments by looking for cached credentials.
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.	– Undertake an attempt as a privileged account trying to access an unprivileged environment, using a test account which should be removed post-testing. BloodHound can be used to assess if any privileged accounts have accessed unprivileged environments by looking for cached credentials.

Application Control

Contextual Notes

At this level, using an application control solution, such as Microsoft’s AppLocker or Windows Defender Application Control, or third-party tools like AirLock Digital, Ivanti, Trend Micro, or VMWare Carbon Black, is essential.

You can conduct an application control assessment without using any tools, but the effectiveness of your test will be severely limited. Manual application control assessments are generally ineffective and easily overlook edge vulnerabilities targeted by malicious actors.

It is important to note that some application control solutions might not support files like .chm, .hta, and .cpl.

It is essential to assess paths used by standard user profiles and temporary folders in operating systems, web browsers, and email clients. Common paths include:

%userprofile%*
%temp%*
%tmp%*
%windir%\Temp*

To test application control effectiveness within these areas, try running benign executable files. The test should cover .exe, .com, .dll, .ocx, .ps1, .bat, .vbs, .js, .msi, .mst, .msp, .chm, .hta, and .cpl. If any executables run in the user profile directory or operating system temporary folders, the application control is not effective.

Control	Assessment Guidance (Ordered by Effectiveness)
Application control is implemented on workstations.	– Verify the presence of an application control solution on workstations.
Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.	– Ensure application control covers user profiles and temporary folders of the OS, web browsers, and email clients as a minimum. – Note this is relevant for path-based rules only, as publisher-based and hash-based rules are automatically applied system-wide.
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.	– Test the effectiveness of application control by trying to write and execute files in accessible user areas. Utilise free tools like AirLock Digital’s Application Whitelist Auditor, or CyberArk’s Evasor for assessment. – If restricted to Microsoft tools, use SysInternals AccessChk to analyse folder permissions. Run ‘accesschk -dsuvw [path] > report.txt’ for writable path permissions and ‘whoami /groups’ to determine user group permissions. – To test and review AppLocker policy, use PowerShell cmdlets. – In a tool-restricted system, you may have to acquire screenshots of ‘effective access’ permissions for critical folders to assess read/write/execute permissions, understanding this method has limitations and may not cover all folders and sub-folders – at any point in a path application control inheritance previously set by an operating system may be disabled by an application installer.

Restriction of Microsoft Office Macros

Contextual Notes

Users should only be allowed to run Microsoft Office macros if they have a proven business need. Their use should be limited to essential applications, with their requirement and approvals recorded, aligning with their Active Directory group permissions. If their business need ceases, their macro permission should be withdrawn.

Control	Assessment Guidance (Ordered by Effectiveness)
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.	– An ACSC partner can help with this item by using ASD’s E8MVT for assessment. – To conduct your own assessment, generate an RSoP (Resultant Set of Policy) report with the ‘gpresult’ command to identify Microsoft Office macro settings applied via group policy settings. Within the RSoP report, look for the ‘VBA Macro Notification Settings’ at ‘User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\’. It should be enabled. – Within the RSoP report, look for ‘VBA Macro Notification Settings’ to be set to ‘Disable all macros without notification’ for the majority of users. In the absence of this configuration, while all Microsoft Office macros will be automatically disabled, users will be prompted through the Message Bar to decide if they wish to enable them. – For users who have a verified business need to use Microsoft Office macros, group policy setting can be left unconfigured, disabled, or enabled with any other setting. However, it is essential to ensure that antivirus scanning is active and that Microsoft Office macros from internet-sourced files are blocked. – Think about calculating the proportion of your organisation’s users who are authorised to use Microsoft Office macros. This step is to make sure that the permissions for running these macros are not excessively generous.
Microsoft Office macros in files originating from the internet are blocked.	– Consider utilising ASD’s E8MVT through a partner for control assessment. – In the RSoP report, ensure ‘Block macros from running in Office files from the Internet’ is enabled at “User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\.” If this setting is not configured, all Microsoft Office macros from the internet will be able to run. – In addition, if users have the ability to access a file’s properties, they can remove the Mark of the Web. To prevent this, the ‘Hide mechanisms to remove zone information’ setting at ‘User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\’ should also be enabled. – Note: Users can also remove the Mark of the Web by copying files from NTFS formatted storage media to external FAT/FAT32/exFAT formatted storage media and back again. Unless external storage media (which is typically FAT32/exFAT formatted) is disabled for a system, it will be difficult to prevent users bypassing this control if they know how to – or malicious actors tell them how to (which is more likely at higher maturity levels).
Microsoft Office macro antivirus scanning is enabled.	– ASD’s E8MVT can be used to assist in evaluating the implementation of this control when you work with an ACSC partner. – In the RSoP report, confirm ‘Macro Runtime Scan Scope’ is correctly set for each Office application. You can find it at: ‘User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope’. It should be set to either 1 – Macros in files with the Mark of The Web [MoTW] (Default) 2 – Macros in all files (Ideal). Alternatively, a pseudo-malicious Microsoft Office macro that contains an EICAR antivirus test string can be used for testing purposes.
Microsoft Office macro security settings cannot be changed by users.	– ASD’s E8MVT can be used to assist in evaluating the implementation of this control when you work with an ACSC partner. – In the RSoP report, check that ‘VBA Macro Notification Settings’ are locked via group policy settings. Go to ‘User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\’ – Try altering macro settings in Office Trust Center with a user account to confirm settings are greyed out.

User Application Hardening

Contextual Notes

Internet Explorer 11, lacking modern security features and unsupported by Microsoft since 15 June 2022, is a frequent target for cyber-attacks. It should be replaced with Microsoft Edge or another up-to-date browser.

To guard against ‘malvertising’ used by malicious actors, blocking web ads with browser add-ons, extensions, or content filtering is recommended. For robust security, configure web browser settings through group policy settings, rather than relying on default settings which users might alter following malicious guidance.

Settings configured via group policy are typically unchangeable by users, indicated by a greyed-out appearance, a tooltip, or a padlock icon.

Control	Assessment Guidance (Ordered by Effectiveness)
Internet Explorer 11 is disabled or removed.	– In the RSoP report, verify if ‘Disable Internet Explorer 11 as a standalone browser’ is enabled. – Alternatively, take a look at the ‘Windows Features’ that are installed to check if Internet Explorer 11 is installed or removed. This can be accessed via (Settings > Apps & features > Programs and Features > Turn Windows features on or off). Check whether Internet Explorer 11 is installed by looking for a tick or black square. (Note, if Internet Explorer 11 has already been removed it may not appear in the list of Windows Features.) – Note that standard users will still be able to launch IE11. Ensure ‘iexplore.exe’ is blocked through application control rules.
Web browsers do not process Java from the internet.	– Compile a list of installed web browsers and test each by visiting a Java-based website – you can use this one: https://www.whatismybrowser.com/detect/is-java-installed. – Review browser plug-ins or extensions for Java components and ensure they are disabled. – If Java is needed for intranet use, assess compensating controls like web content filters for blocking internet-based Java.
Web browsers do not process web advertisements from the internet.	– Verify if ad-blocking extensions or add-ins are installed in web browsers. – Check for ad-blocking via web content filters or proxies. – Conduct a test by visiting a known ad-heavy website using one of the organisation’s PC’s and take screenshots of the results. – Note that browser settings for pop-up blocking alone do not suffice for this control.
Web browser security settings cannot be changed by users.	– Review each installed web browser’s security settings to see if they are unchangeable. – Look for indications like settings being greyed out or messages stating ‘This setting is managed by your organisation/administrator’. – Check if Java Control Panel settings can be altered by users. Your organisation is compliant with this control if they cannot.

Regular Backups

Contextual notes

Backups of data, applications, and settings should be regularly done and kept based on an organisation’s critical needs and continuity plans. It’s crucial to test the restoration from these backups at least annually as part of disaster recovery practices, rather than waiting for a major security incident. At this maturity level, it’s important to ensure that regular users can’t access others’ backups but can access their own. However, privileged accounts may still have access to all users’ backups.

Regular users should be able to read but not modify or delete their backups. This prevents ransomware, using regular user privileges, from altering or deleting backups. The risk of malicious actors with higher privileges compromising backups is considered at more advanced maturity levels.

Control	Assessment Guidance (Ordered by Effectiveness)
Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.	– Discuss the specified backup frequencies with your IT team, particularly considering the importance of different data sets and applications. Inspect the business continuity plan to verify documented frequencies and retention periods for backups. With this item, you will be required to make a determination of the degree of success of this control’s implementation and compliance with the intent of this control.
Backups of data, applications and settings are synchronised to enable restoration to a common point in time.	– Ensure backup processes are synchronised for seamless restoration to a common point in time. If not, restoration may prove challenging and result in potential data loss.
Backups of data, applications and settings are retained in a secure and resilient manner.	– Assess the security and resilience of backup procedures. Check if backups are encrypted and their effectiveness in quick recovery from ICT failures.
Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.	– Review the results of disaster recovery drills, including their frequency, the date of the last drill, and whether they involved full or partial system restoration. – Confirm that post-exercise reports or reviews that detail the recovery process and any lessons learned have been produced. – Note that for the purposes of this control, simple business-as-usual file recovery doesn’t suffice; substantial system component restoration is key.
Unprivileged accounts cannot access backups belonging to other accounts.	– Examine the backup solution and security groups in Active Directory to identify who has access to backups. – Verify if unprivileged accounts are limited to accessing only their backups. If network shares store backups, use an unprivileged account to try to access others’ backups.
Unprivileged accounts are prevented from modifying and deleting backups.	– Check if unprivileged accounts can alter or delete their own backups. – If backups are on network shares, use an unprivileged account to try and modify or delete a backup and take ownership of content to change permissions. The organisation is compliant if you cannot do this.

Radical Honesty is the key – you can get it in two ways

When reviewing an internal client, it’s easy to let familiarity and the fear of upsetting others dictate results. You know that control X is in place, so you skip the formal testing to confirm it still works. Or you know there’s a policy regarding workstation patching and you know there are resources dedicated to it, so you assess your organisation positively without gathering the “excellent” evidence, referred to above.

You need what we would term “Radical Honesty” to try and get past those internal biases and review the organisation as though you are an outsider. It can be hard to do and you will benefit from pausing your review at various stages and assessing if you have, inadvertently, let anything slip by.

To prove to an external body that your organisation is genuinely at Level 1 maturity, it may be important to use an assessor engaged at arm’s length. Computer One is a skilled assessor of a variety of security frameworks, including the ASD Essential Eight. Radical Honesty is built-in to our service, to ensure your organisation is truly at a given level of ASD Essential Eight maturity.