Added current files, mainly CIS258

CIS258/F25IEC_HW2_Greene_Isaac.tex

@@ -0,0 +1,222 @@
+\documentclass[12pt]{scrartcl}
+\usepackage[T1]{fontenc}
+\usepackage{tgpagella}
+\usepackage{xcolor}
+\usepackage{ulem}
+\usepackage[head=24pt]{geometry}
+\usepackage{scrlayer-scrpage}
+\usepackage{setspace}
+\usepackage{array}
+\usepackage{graphicx}
+\usepackage{hyperref}
+
+\geometry{letterpaper}
+
+\hypersetup{
+    colorlinks=true,
+    linkcolor=blue,
+    filecolor=magenta,      
+    urlcolor=isaac-red,
+    pdftitle={F25IEC\_HW2\_Greene\_Isaac},
+    pdfauthor={Isaac Greene},
+    pdfpagemode=FullScreen
+}
+\urlstyle{same}
+
+
+\definecolor{isaac-red}{HTML}{C52947}
+\definecolor{isaac-blue}{HTML}{0E4385}
+
+\newcommand\sectionuline{%
+  \bgroup\markoverwith{\textcolor{isaac-red}{\rule[-0.5ex]{2pt}{1.7pt}}}%
+  \ULon%
+}
+\newcommand\subsectionuline{%
+  \bgroup\markoverwith{\textcolor{isaac-blue}{\rule[-0.5ex]{2pt}{1.7pt}}}%
+  \ULon%
+}
+
+\clearpairofpagestyles
+
+\setkomafont{subsubsection}{\usefont{T1}{qpl}{b}{n}}
+\setkomafont{subsection}{\usefont{T1}{qpl}{m}{n}\large}
+\setkomafont{section}{\usefont{T1}{qpl}{b}{n}\Large}
+\setkomafont{part}{\usefont{T1}{qpl}{b}{n}\LARGE}
+\addtokomafont{part}{\subsectionuline}
+\addtokomafont{section}{\sectionuline}
+\addtokomafont{subsection}{\subsectionuline}
+\addtokomafont{subsubsection}{\sectionuline}
+
+\setlength{\parindent}{12pt}
+\setlength{\parskip}{0pt}
+\doublespacing
+
+\title{\Large Isaacal Media Risk Assessment}
+\author{\normalsize Isaac Greene}
+\date{\normalsize October 5, 2025}
+
+\lohead{F25IEC\_HW2\_Greene\_Isaac}
+\lofoot{\begin{spacing}{1}No AI used <\href{http://ig7.us/ai}{ig7.us/ai}>. Built with \LaTeX.\\Work available under the Esoteric Common License <\href{http://ig7.us/license}{ig7.us/license}>.\end{spacing}}
+\ohead*{\pagemark}
+
+\begin{document}
+\part*{Isaacal Media Risk Assessment}
+Isaac Greene\\
+October 5, 2025
+\begin{spacing}{1}
+\tableofcontents
+\end{spacing}
+\section{Organization Background}
+Isaacal Media is the trade name I use, registered in Calhoun County, for the web design and technical services I provide to my clients. This risk assessment details what actions I am taking and should take in the future to secure my services and public access to them. This report focuses on the services used, the connections between and underpinning those services, and what security measures are in place to prevent breaches by the public. Front services are primarily operated under *.isaac.run, with the backend (such as email)  operating from *.xtzws.com. To perform this assessment, I have compiled all software I use, how and where it has been deployed, and what levels of access known or unknown users have to it.
+
+All software that is installed is Free and Open Source software due to its low cost, simple licensing, support, and security.\footnote{\url{https://youtu.be/HcV4u-nemNk} Is Open Source More Secure? - Jeff Crume / IBM, April 2024} To conduct this assessment, I have logged into each of my systems and read documentation for applicable software. Individual assessments include supporting services, such as certificate management, cron jobs, etc., but does not include factors outside of my control such as data center reliability or peering.\footnote{I have SLAs with most of my hosting partners, and they make available the security and backup protocols of their sites.}
+\renewcommand{\arraystretch}{1.5}
+\subsection{List of services in scope}
+\begin{center}
+\begin{table}[h]
+\centering
+\begin{tabular}{ |l|l|l| } 
+\hline
+\textbf{Service} & \textbf{Domain} & \textbf{Location}\\
+\hline
+Main site & www.isaac.run & Cloudflare\\
+Forgejo & git.isaac.run & Germany\\
+Email & mail.xtzws.com & Germany\\
+Assignments & edu.isaac.run & Germany\\
+Bank & bank.isaac.run & Lansing 1\\
+MySQL & N/A & Germany/Lansing 2\\
+CDN & cdn.isaac.run \& cdn.10161997.xyz & Boston\\
+Analytics & plausible.isaac.run & Lansing 1\\
+Docs & ig7.us & Germany\\
+Servers & N/A & Lansing/Germany\\
+\hline
+\end{tabular}
+\caption{Summary of all services used and considered in scope of this assessment.}
+\end{table}
+\end{center}
+
+\begin{center}
+\begin{table}[h!]
+\centering
+\begin{tabular}{ |l|l|m{16em}| } 
+\hline
+\textbf{Service} & \textbf{Domain} & \textbf{Description}\\
+\hline
+SSO & \{login|auth|id|sso\}.isaac.run & Increase security and usability of Isaacal Media services\\
+Payments & pay.isaac.run & Accept card payments, processed by Square\\
+CRM & mem.ig7.us & Keep track of personal relationships\\
+\hline
+\end{tabular}
+\caption{Services potentially coming online soon.}
+\end{table}
+\end{center}
+
+\subsection{Personal information processing}
+\begin{center}
+\begin{table}[h!]
+\centering
+\begin{tabular}{ |l|m{16em}| } 
+\hline
+\textbf{Information} & \textbf{Used by}\\
+\hline
+PII & Services with an account\\
+Email & Forgejo (for attributing commits), Assignments (for login), Email (to login)\\
+Finances & Bank of Isaac to show transaction statements\\
+User-submitted content & Forgejo, Assignments, Email, CDN\\
+Non-PII & Plausible (record website visits)\\
+Payment information & Cards are processed and stored by Square, offline payments like checks and cash are not stored online\\
+\hline
+\end{tabular}
+\caption{Processing of data by the services.}
+\end{table}
+\end{center}
+
+\newpage
+\section{Potential Threats}
+There are myriad reasons a system could go down, the most common of which are relatively harmless (except for potential frustration), but there are more serious threats to consider.
+\begin{spacing}{1}
+\subsection{Natural threats}
+\begin{list}{-}{}
+\item Earthquakes
+\item Tornadoes
+\item Floods
+\item Heavy storms
+\item Hurricanes
+\item Power grid failure
+\item Network cable failures
+\end{list}
+\subsection{Routine threats}
+\begin{list}{-}{}
+\item Certificate expiration
+\item Maintenance
+\item Overloaded systems
+\item Misconfigured services
+\end{list}
+\subsection{Irregular threats}
+\begin{list}{-}{}
+\item Network attacks
+\item Denial of service and distributed denial of service
+\item Data center failure
+\item Unprivileged access
+\item Insecure account
+\end{list}
+\end{spacing}
+\newpage
+\section{Vulnerabilities}
+\subsection{Techniques}
+Threats in the above list and deemed mission critical\footnote{Main site, Forgejo, SSO, Assignments, and CDN are mission critical} were analyzed against proprietary documents detailing security measures in place at my hosting partners' data centers, and against the OWASP Top 10,\footnote{\url{https://owasp.org/www-project-top-ten/} Top 10 Web Application Security Risks, OWASP, September 2021} the MDN HTTP Observatory,\footnote{\url{https://developer.mozilla.org/en-US/observatory/analyze?host=isaac.run} HTTP Observatory Report, Mozilla, September 2025 (substitute isaac.run for other domains)} and Internet.nl,\footnote{\url{https://internet.nl/site/www.isaac.run/3362441/} Website test: www.isaac.run, Dutch government, July 2025} with some monitoring available from my hosts and continued monitoring with OSSEC.
+
+\subsection{Remedies}
+\subsubsection{Overloaded systems}
+\textit{Affects Forgejo, Email, Bank, Assignments.}
+All systems have multiple levels of DDoS protection built in. These services also allow user-submitted content so to prevent harmful content, self-registration is disabled and all accounts must be manually created. However, while it is difficult for any single account to cause issues, if more people or more services were added to the server, the chance of a DoS is likely. Currently, as the services are mostly single-tenant, there is no need for scalability. If there ever comes a point where more than one server is needed, scalability will be addressed then.
+\subsubsection{SQL injection}
+\textit{Affects Forgejo, Assignments, Plausible.}
+Few services use SQL, and these ones are enterprise-ready, so it is assumed that they are resistant to SQL injection attacks.
+\subsubsection{Data center failure}
+\textit{Affects All.}
+There is a long list of what steps my hosting partners take to keep servers online. They include redundant fire systems, biometric locks, generators, multiple network links, and 24 hour monitoring and staffing.
+\subsubsection{Insecure accounts}
+\textit{Affects Plausible, certain Admin panels, Forgejo, Bank, Assignments}.
+Due to the increased security of disabling self-registration, accounts that are created can be forced and verified to meet stringent requirements. For example, Forgejo is configured to require at least a 24 character password, and Bank of Isaac accounts are set up in a way that the password is sent\footnote{Password files are uploaded to \href{https://wormhole.app}{Wormhole}, then the share link is sent to the recipient which expires after one download or one day.} to the user that not even I learn their password.
+\subsubsection{Certificate expiration}
+\textit{Affects All (-ig7.us).}
+Most, if not all, SSL certificates are managed by Certbot so renewal happens automatically. On the Lansing servers, certain certificates need to be renewed manually so it is possible that these certificates could expire.
+\subsubsection{Denial of service}
+\textit{Affects All.} Every system is at risk of a denial of service issue, either intentional or not. All systems have backups at the data center, operating system, and web server level, with some having additional protection at the application level. Most of my servers have several applications installed so keeping system usage low is crucial and can be maintained. My analytics show that I am often the only visitor on most of my sites.
+\section{Impact}
+The failure or breach of any system is unlikely to cause physical harm to any person. However, there are reputation costs not only to myself, but also to my clients. Their customers may wonder why an issue has occured, whether their information is at risk, or lose confidence in the ability to conduct business.
+
+A server failure would be the most destructive of these options. For example, nearly all requests for any webpage make a subsequent request to the CDN for a font file, image file, or stylesheet. Failure to reach the site could break usability or accessibility for some users, and this has the added risk of noncompliance with accessibility statutes.
+
+Extended downtime does not have much direct financial cost. Stopgap solutions could be quickly spun up on alternate hardware or providers, and my providers are low-cost to begin with. My clients, while they do process online payments, have fairly low traffic so if part of their site was down, even for a few hours, there is a low chance anyone would be affected.
+
+\section{Risks}
+\subsection{Risk Matrix}
+\begin{center}
+\begin{table}[h!]
+\centering
+\begin{tabular}{ |l|m{30em}| } 
+\hline
+\textbf{Score} & \textbf{Description}\\
+\hline
+Very high & Complete and total degradation of a mission critical service, or loss of confidentiality or security. Examples: kernel panic, password breach, DDoS, SSO failure, unauthorized access to restricted files\\
+High & Severe, but not critical failure of a critical service. Expected to cause errors, but not total collapse. Examples: Payments fail, Forgejo fails to retrieve git information, leaked secrets\\
+Moderate & Important but not severe degradation, or prolonged disruption to, a service. Examples: Slow return speeds on a website, certificate expiration, backend down for maintenance\\
+Low & Should-fix issues but not major cause for concern. Examples: minor stylesheet fails to load, email takes a long time to deliver, Content-Security-Policy violation, site does not redirect to HTTPS\\
+Very low & Minor annoyances that have no real impact. Examples: visual glitch on a webpage, children attempting to login to a server\\
+\hline
+\end{tabular}
+\caption{Risk matrix and scores. Adapted from Table I-2 of NIST SP 800-30.}
+\end{table}
+\end{center}
+
+\subsection{Risk Mitigations}
+OWASP places broken access control as the highest vulnerability. \footnote{\url{https://owasp.org/Top10/A01_2021-Broken_Access_Control/} A01:2021 – Broken Access Control, OWASP, September 2021} Securing access to the servers remains the high priority. Currently, measures in place include login only over SSH, strong password for users, and default SSH port was changed. To further tighten access, SSH could be denied for root, login only with a user with no sudo access, and denying access over IPv4. Some sites also place files at publicly accessible URL but not hyperlinked from any other page, but this should change to place those documents out of the web root.
+
+\section{Conclusion}
+Overall, the likelihood of a threat becoming a reality is low. There are redundant systems in place to mitigate attacks, other resources I can draw on to help in the event of a current attack, and systems are continually monitored for performance and reliability. Due to the scale of my operations, the limited personal information stored anyway, and the low criticality of my services, and use of current software, I find there is no immediate risk to Isaacal Media.
+
+Low risk threats to mitigate include strengthening SSH access, removing potentially sensitive documents from the web root, and configuring proper intrusion detection systems. All software, including services, cipher suites, encryption methods, operating systems, etc. is kept as up-to-date as is feasible. All secure information, such as passwords, are already stored in a hashed form and pose low risk if taken.
+
+\end{document}

CIS258/F25IEC_Project1_Greene_Isaac.tex

@@ -0,0 +1,17 @@
+\documentclass{beamer}
+\usepackage{palatino}
+\title{Sample title}
+\author{Anonymous}
+\institute{Overleaf}
+\date{2021}
+
+\begin{document}
+
+\frame{\titlepage}
+
+\begin{frame}
+\frametitle{Sample frame title}
+This is some text in the first frame. This is some text in the first frame. This is some text in the first frame.
+\end{frame}
+
+\end{document}