G 0.23 — Unauthorised Access to IT Systems

Every interface of an IT system is a potential entry point. An inadequately secured remote maintenance access, a forgotten API, a service with a default password — an attacker only needs one single vulnerable interface to gain access to the system. The defender has to protect them all.

Unauthorised access to IT systems is one of the most fundamental threats to information security. The BSI lists it as G 0.23. The access is often the first step of an attack chain — intrusion is followed by data theft, manipulation or sabotage.

What’s behind it?

Every interface — network port, USB socket, API, web interface, management console — offers legitimate users access to the system’s services. The same interface offers an attacker the opportunity to gain unauthorised access when authentication is too weak, software is vulnerable or the configuration is flawed.

Entry points

• Captured credentials — usernames and passwords obtained through phishing, keyloggers, credential stuffing or database leaks. Password reuse makes this attack vector particularly effective.
• Software vulnerabilities — unpatched security holes in operating systems, web applications or services. Publicly known exploits are automated within hours of CVE publication.
• Insecure remote maintenance access — RDP, SSH, VPN gateways or proprietary remote maintenance tools with weak credentials or without multi-factor authentication.
• Physical interfaces — USB ports that have not been disabled allow the connection of prepared devices. Unattended systems with open consoles invite direct access.
• Misconfigurations — services that are unintentionally reachable from the internet. Management interfaces without authentication. Default credentials that have never been changed.

Impact

Unauthorised access primarily violates confidentiality (data access) and integrity (ability to manipulate). In many cases intrusion is the starting point for more serious attacks: ransomware deployment, data exfiltration, lateral movement within the network. The dwell time of an attacker in a compromised system averages several weeks — enough time for considerable damage.

Practical examples

Credential stuffing against a VPN gateway. An attacker uses a publicly available collection of stolen credentials (from earlier third-party breaches) and tests them automatically against a company’s VPN gateway. Since several employees use the same password for private and professional accounts, access succeeds. The attacker now has an encrypted connection into the internal network.

Unpatched web server as entry point. A company operates a web server with a known vulnerability for which a patch has been available for three months. An automated scanner discovers the weakness and installs a web shell. The attacker uses the web shell as a springboard for lateral movement and compromises the domain controller within a week.

Forgotten remote maintenance access. During commissioning of a production plant, the manufacturer sets up a remote maintenance access — with the agreed default password “service2020”. After commissioning, the access is forgotten; it remains active. Years later, an attacker finds the open port through an internet scan and logs in with the unchanged password.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 42 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

• A.8.5 — Secure authentication: Multi-factor authentication for all critical access points.
• A.8.8 — Management of technical vulnerabilities: Systematic patching closes the entry points.
• A.8.20 — Networks security: Segmentation and firewall rules limit the reachable attack radius.
• A.8.2 — Privileged access rights: Restrict administrative rights to limit the impact of a compromised account.
• A.8.9 — Configuration management: Harden and document default configurations, replace default credentials.

Detection:

• A.8.15 — Logging: Failed login attempts, unusual access patterns and new connections are recorded.
• A.8.16 — Monitoring activities: SIEM correlation detects attack patterns such as brute force, lateral movement or unusual administrator access.
• A.5.35 — Independent review of information security: Penetration tests and red team exercises test protective measures under realistic conditions.

Response:

• A.5.24 — Information security incident management planning and preparation: Incident response plan for cases of detected intrusion.
• A.5.25 — Assessment and decision on information security events: Structured triage to assess the severity of the incident.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.23 to the following modules:

• NET.3.1 (Routers and switches) — hardening and access protection for network components.
• NET.3.2 (Firewall) — filter rules and segmentation as the primary barrier against unauthorised access.
• ORP.4 (Identity and access management) — requirements for authentication, authorisation and permission management.
• SYS.1.1 (General server) — hardening and protection of server systems.

Sources

• BSI IT-Grundschutz: Elementary Threats, G 0.23 — original description of the elementary threat
• ISO/IEC 27002:2022 Section 8.5 — implementation guidance on secure authentication
• BSI: Recommendations for Secure Authentication — practical guidance on securing accounts and access