Elementary Threat · BSI IT-Grundschutz

G 0.20 — Information or Products from Unreliable Sources

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.5A.5.7A.5.14A.5.15A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.34A.6.8A.7.7A.7.10A.8.1A.8.4A.8.7A.8.9A.8.17A.8.19A.8.20A.8.21A.8.23A.8.24A.8.25A.8.26A.8.27A.8.28A.8.31A.8.32 BSI IT-GrundschutzISO 27001ISO 27002

A phishing email disguises itself as a message from a known business partner. Attached: a document supposedly containing an updated price list. The recipient in the purchasing department opens the document without questioning it. The embedded macro installs a remote access trojan — and the attacker henceforth has full access to the internal network.

Information and software from unreliable sources can endanger both the integrity of decisions and the security of IT systems. The BSI lists this threat as G 0.20.

What’s behind it?

Information processing rests on a chain of trust: data is collected, transmitted, processed and used as the basis for decisions. When one link in this chain rests on unreliable sources, the error propagates through the entire processing chain. For software, unverified code directly threatens the security of the system.

Attack vectors

Spoofed emails (phishing) — the sender is forged or modelled on a known contact. Attachments and links lead to malicious code or spoofed login pages. The clear structure of email addresses and headers makes automated forgery trivial.
Software from unofficial sources — downloads from third-party sites, forums or filesharing platforms may contain manipulated versions. Even when the software appears functionally correct, it may be exfiltrating data in the background.
Compromised update mechanisms — supply chain attacks inject malicious code through the vendor’s regular update channels. The updates carry a valid digital signature and are installed trustfully by systems.
Misinformation as a decision basis — unverified internet sources, fabricated studies or manipulated reports flow into business decisions and lead to misjudgements.

Impact

Manipulated software can violate all three protection goals at once: data outflow (confidentiality), data manipulation (integrity), system outage through malicious code (availability). With misinformation, the damage lies in flawed decisions — the consequences range from misinvestments to regulatory violations.

Practical examples

Spoofed supplier invoice by email. The finance department of a mid-sized company receives an email that looks exactly like the invoices from a long-standing supplier — complete with correct logo, invoice number and contact person. Only the bank details have changed. Since the amount is within the usual range, the invoice is paid. The fraud is only noticed when the real supplier sends a payment reminder.

Manipulated open-source package. A developer includes a popular open-source library in their project. Shortly before, an attacker has published a slightly altered version under a confusingly similar package name (typosquatting). The manipulated version works identically but exfiltrates environment variables — including API keys and database passwords — to an external server.

False market data in a board paper. For an investment decision, an analyst researches market data on the internet and adopts figures from a professionally produced but factually incorrect industry study. The investment rests on flawed assumptions. The error only becomes apparent after market entry — the withdrawal costs the company a seven-figure sum.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 30 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.19 — Installation of software on operational systems: Restrictive policies prevent the installation of unverified software.
A.8.7 — Protection against malware: Endpoint protection detects and blocks malicious code in downloaded files.
A.5.7 — Threat intelligence: Current information about threats, including ongoing phishing campaigns and supply chain attacks.
A.8.23 — Web filtering: Blocking of known malicious domains and download sources.
A.8.25 — Secure development life cycle: Dependency management and integrity checking of libraries in the development process.

Detection:

A.5.24 — Information security incident management planning and preparation: Prepared processes for cases where compromised software is detected.
A.8.15 — Logging: Recording of software installations and download activity.

Response:

A.5.25 — Assessment and decision on information security events: Structured triage when compromised sources are suspected.
A.5.26 — Response to information security incidents: Containment when compromised software has already been installed.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.20 to the following modules:

OPS.1.2.6 (NTP time synchronisation) — time synchronisation from trusted sources as an example of integrity requirements.
CON.8 (Software development) — requirements for verifying dependencies and external components.
OPS.1.1.3 (Patch and change management) — ensuring that updates originate from trusted sources.
SYS.1.6 (Containerisation) — verification of container images for integrity and origin.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.20 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.19 — implementation guidance on the installation of software
BSI: Recommendations on Supply Chain Security — guidance on securing the software supply chain

ISO 27001 Controls Covering This Threat

A.5.5 Contact with authorities A.5.7 Threat intelligence A.5.14 Information transfer A.5.15 Access control A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.34 Privacy and protection of PII A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.10 Storage media A.8.1 User endpoint devices A.8.4 Access to source code A.8.7 Protection against malware A.8.9 Configuration management A.8.17 Clock synchronisation A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.23 Web filtering A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.31 Separation of development, test and production environments A.8.32 Change management

Frequently asked questions

What counts as an unreliable source?

Any source whose authenticity and integrity you cannot independently verify. This includes: emails with unknown or spoofed senders, software downloads from unofficial sites, updates without a digital signature, information from the internet without source verification, and storage media of unknown origin.

How do I verify the integrity of software updates?

Download updates only from the official vendor site or through automated update mechanisms. Check the digital signature (code signing) and compare hash values where the vendor publishes them. For open-source software, reproducible builds and independent package managers with signatures help.

Can reputable sources also be compromised?

Yes. Supply chain attacks compromise trusted software supply chains — signed updates from a reputable vendor can still contain malicious code if the vendor's build infrastructure has been compromised. That's why defence in depth matters: multiple protective layers work together.