Elementary Threat · BSI IT-Grundschutz

G 0.30 — Unauthorised Use or Administration of Devices and Systems

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.11A.5.14A.5.15A.5.16A.5.17A.5.18A.5.23A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.34A.6.2A.6.4A.6.5A.6.7A.7.1A.7.2A.7.4A.7.7A.7.8A.7.9A.7.10A.7.11A.7.13A.7.14A.8.1A.8.2A.8.3A.8.4A.8.5A.8.7A.8.10A.8.14A.8.15A.8.16A.8.17A.8.18A.8.20A.8.21A.8.22A.8.23A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

Analysing network logs, an administrator spots unusual connections at a WLAN router — regularly in the early morning and late afternoon. The cause: the WLAN router is configured insecurely, and people waiting at the bus stop in front of the company building are using the open network to browse. What sounds harmless opens an entry point into the corporate network.

Unauthorised use or administration of devices and systems (G 0.30) is one of the most versatile threats in the BSI IT-Grundschutz catalogue. It covers everything from an accidentally open WLAN access to a targeted attack with stolen administrator credentials.

What’s behind it?

Without effective mechanisms for physical, logical and access control, unauthorised use of systems can hardly be prevented or even detected. Even strong authentication mechanisms fail when the associated security features — passwords, tokens, smart cards — fall into the wrong hands.

Access paths

Stolen or guessed credentials — Weak passwords, credential stuffing with leaked data, phishing attacks.
Misconfigured services — Open management interfaces, default passwords on network devices, unprotected API endpoints.
Physical access — Unsecured server rooms, unlocked terminals, accessible network ports in public areas.
Removable media — At USB ports of unattended systems, data can be read or malware can be introduced.
Lateral movement — From a compromised workstation of a user with limited rights, an attacker can gradually gain access to more highly privileged systems.

Impact

The consequences range from data theft through manipulation to complete takeover of the IT infrastructure. Unauthorised administration is particularly dangerous: an attacker with administrator rights can disable security measures, install backdoors and manipulate logs to cover their activities.

Practical examples

WLAN router with default configuration. A company operates a WLAN access point with the factory-set default password. External people connect and gain access to the internal network via WLAN. Since the network is not segmented, they have access to file shares and internal applications.

Stolen VPN certificate. An employee stores their VPN certificate unprotected on a private laptop. The laptop is stolen. The attacker uses the certificate to dial into the corporate network as a legitimate user. Since no additional authentication (MFA) is required, the access goes unnoticed.

Inactive admin account not disabled. An IT administrator leaves the company. Their privileged account is not locked promptly. Weeks later, logs show accesses via this account at unusual hours. Whether the former employee or a third party is using the credentials cannot initially be determined.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 45 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.8.5 — Secure authentication: Multi-factor authentication for all accesses, especially privileged ones.
A.5.15 — Access control: Documented access control concept with need-to-know principle.
A.5.18 — Access rights: Formal process for granting, modifying and revoking access rights.
A.7.1 — Physical security perimeters: Physical protection of server rooms and network infrastructure.
A.8.3 — Information access restriction: Least privilege principle at the application level.

Detection:

A.8.15 — Logging: Complete logging of login events and privileged actions.
A.8.16 — Monitoring activities: Automated detection of unusual access patterns and failed logins.

Response:

A.5.24 — Information security incident management planning and preparation: Procedures for handling detected unauthorised access, including immediate locking of compromised accounts.
A.6.5 — Responsibilities after termination or change of employment: Immediate deactivation of all accesses when employees leave.

BSI IT-Grundschutz

G 0.30 is linked by the BSI IT-Grundschutz catalogue to the following modules:

ORP.4 (Identity and access management) — Central requirements for managing identities and access rights.
NET.1.1 (Network architecture and design) — Network segmentation and access control at the network level.
SYS.1.1 (General server) — Protection of administration and access control for servers.
INF.7 (Office workplace) — Physical security at the workplace, screen lock, clean desk.

Sources

BSI: The State of IT Security in Germany — Annual report with findings on access-related attacks
BSI IT-Grundschutz: Elementary Threats, G 0.30 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 8.5 — Implementation guidance on secure authentication

ISO 27001 Controls Covering This Threat

A.5.11 Return of assets A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.34 Privacy and protection of PII A.6.2 Terms and conditions of employment A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment A.6.7 Remote working A.7.1 Physical security perimeters A.7.2 Physical entry A.7.4 Physical security monitoring A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.13 Equipment maintenance A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.10 Information deletion A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.31 Separation of development, test and production environments

Frequently asked questions

What is the difference between unauthorised use and abuse of permissions?

In unauthorised use (G 0.30), someone gains access who has no authorisation for it -- for example through stolen passwords or an insecure WLAN configuration. In abuse of permissions (G 0.32), a person uses their existing, legitimate rights beyond the intended scope.

Why is unauthorised administration especially critical?

Administrators have extensive rights: they can change configurations, disable security mechanisms, delete logs and install backdoors. If an attacker obtains administrative credentials, they can compromise the entire IT infrastructure and cover their tracks.

How can I detect unauthorised access?

Central logging and monitoring are the most important tools. Watch for unusual login times, access from unknown devices or IP addresses, failed login attempts and access to systems that are not relevant to the respective role. SIEM systems can detect these anomalies automatically.