Essential Eight Assessments

Most ransomware infections succeed because malicious software executes freely on unprotected systems. Application Control prevents this by allowing only approved applications to run.

When an employee accidentally downloads a file from a phishing email or visits a compromised website, any malicious executable simply won’t run. At Maturity Level 1, Application Control is required on all workstations. Level 2 extends this to internet-facing servers. Level 3 requires Application Control on all servers.

Attackers don’t need to break through your defences if they can exploit known vulnerabilities in unpatched software. Web browsers, PDF readers, and office applications are common targets because they handle external content.

At Maturity Level 1, security vulnerabilities are patched within two weeks when assessed as extreme risk, and within one month for other vulnerabilities. Higher maturity levels require faster patching schedules, with Level 3 requiring patches within 48 hours for extreme risk vulnerabilities.

Macros in Microsoft Office documents remain one of the most effective ways attackers deliver malware. A seemingly legitimate Excel spreadsheet arrives via email, the user enables macros, and malicious code executes with full system access.

At Maturity Level 1, macros are blocked unless they come from trusted locations with limited write access or are digitally signed by a trusted publisher. At higher maturity levels, only macros signed by trusted publishers are allowed.

Web browsers, PDF readers, and email clients handle external, potentially malicious content constantly. User Application Hardening reduces risk by disabling features attackers commonly exploit, including blocking Flash content, preventing Java execution in browsers, and restricting ads and potentially malicious web content.

If an attacker compromises a user account with administrative privileges, they gain control of the entire system. Restricting administrative privileges follows the principle of least privilege.

At Maturity Level 1, privileged users must use a separate unprivileged account for standard tasks like email, web browsing, and office productivity work. Administrative accounts are used only when performing administrative functions. At higher maturity levels, privileged users operate from separate, hardened workstations when performing administrative tasks.

Unpatched operating systems are a primary target for attackers. Vulnerabilities in Windows, macOS, or Linux give attackers a foothold to install malware, escalate privileges, and compromise the entire environment.

At Maturity Level 1, extreme risk vulnerabilities in operating systems are patched within two weeks, and other vulnerabilities within one month. Higher maturity levels require faster response times, with Level 3 requiring patches within 48 hours for extreme risk vulnerabilities.

Passwords alone no longer provide adequate protection. Phishing attacks and credential stuffing regularly compromise passwords, and once attackers have valid credentials, they appear as legitimate users.

Multi-factor authentication adds a second verification step beyond passwords. At Maturity Level 1, MFA is required for all users. Level 2 requires phishing-resistant MFA like authenticator apps. Level 3 requires phishing-resistant MFA methods like FIDO2 security keys or smartcards that can’t be intercepted or replayed.

Backups are your last line of defence when prevention fails. Ransomware attacks, hardware failures, and accidental deletions happen despite best efforts, and reliable backups allow you to recover without catastrophic data loss or paying ransoms.

At Maturity Level 1, backups of important data must be performed at least daily, while backups of operating systems and software settings can be performed weekly. Restoration testing must occur at least once when initially implemented and each time fundamental information technology infrastructure changes occur.