R-001 - Compromise of Public-Facing Services Leading to Lateral Impact

Risk Description

Public-facing services hosted on the same system as sensitive components (e.g. source code management) may allow an attacker to gain an initial foothold and attempt lateral movement.

This could lead to unauthorized access to:

source code repositories
deployment pipelines
stored credentials or secrets

Asset / Scope

VPS hosting public services (Docusaurus, reverse proxy)
Source code management platform (Gitea)
CI/CD mechanisms

Likelihood

Possible

Public services are exposed to the internet and may be targeted through common web vulnerabilities or misconfigurations.

Impact

Major

Potential compromise of:

code integrity
deployment processes
sensitive data

Risk Level

High

Existing Controls

basic system hardening
restricted SSH access
service isolation (partial)

Treatment Decision

Mitigate

Treatment Strategy

separate public services and sensitive components (ADR-001)
reinforce isolation boundaries
improve monitoring and detection

Current Maturity

Established

risk identified and documented
architectural weakness acknowledged

In Progress

infrastructure separation (multi-VPS)
reduction of co-location risks

Planned / Next Phase

stricter isolation validation
monitoring coverage improvement

Risk Description​

Asset / Scope​

Likelihood​

Impact​

Risk Level​

Existing Controls​

Treatment Decision​

Treatment Strategy​

Current Maturity​

Established​

In Progress​

Planned / Next Phase​