feat: apply styling

_layouts/threatmodel.html

@@ -3,22 +3,23 @@
 	{%- include head.html -%}
 	<body>
 		{%- include header.html -%}
-		<div class="container threat-model">
+		<div class="container blog">
 			<main>
 				<section class="flex-container">
 					<div class="flex-container-inner">
-						<h3>Distrust Threat Model</h3>
-						<p>Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and mitigating specific risks, the Distrust Threat Model, rather than modeling threats as potential risks, assumes that systems are already compromised. This pessimistic, assumption-driven approach focuses on building systems that can survive and remain secure even when critical components fail or are actively under attack by sophisticated threat actors at all levels.</p>
+						<h1>Distrust Threat Model</h1>
+						<p>Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and mitigating specific risks, the Distrust Threat Model, rather than modeling threats as potential risks, assumes that <b>systems are already compromised</b>. This pessimistic, assumption-driven approach focuses on building systems that can survive and remain secure even when critical components fail or are actively under attack by sophisticated threat actors at <b>all levels</b>.</p>
 					</div>
 				</section>
 
 				<section class="flex-container">
 					<div class="flex-container-inner">
-						<h3 id="assumptions">Assumptions</h3>
+						<h2 id="assumptions">Assumptions</h2>
 						<ul>
 							<li>All screens and displays are assumed to be observable by adversaries.</li>
 							<li>Input devices, such as keyboards, are assumed to be monitored or logged by potential attackers.</li>
 							<li>Any system components (firmware or bootloaders) not verified on every boot are considered at risk.</li>
+							<li>Standard consumer hardware is compromised.</li>
 							<li>Network-connected systems and administrative endpoints are potential compromise points.</li>
 							<li>Insider threats are assumed; some personnel or third-party maintainers may be compromised.</li>
 							<li>Physical attacks are viable and likely, given the history of supply chain and infrastructure breaches.</li>
@@ -29,7 +30,7 @@
 
 				<section class="flex-container">
 					<div class="flex-container-inner">
-						<h3>Levels</h3>
+						<h2>Levels</h2>
 						<p>While the end-goal is to adequately address the risks which stem from the <a href="#assumptions">assumptions</a>, organizations are at varying levels of maturity and often need a path towards mitigating threats in a phased approach. To this end, the threat model defines 4 levels, each corresponding to increasingly more sophisticated threat actors as the levels increase. Each threat actor is assumed to have access to specific methods of attack limited by factors such as cost to execute, sophistication, time required etc.</p>
 						<p>It is a reasonable approach to apply different threat model levels to different parts of systems. It's also worth noting that essentially no companies, to our knowledge meet adequate controls for Level 4 adversaries except for select nation states organizations and militaries.</p>
 					</div>
@@ -56,7 +57,7 @@
 						<p>A skilled and resourceful individual specifically targeting a single organization. This adversary employs focused efforts to breach systems, including sophisticated social engineering and exploitation of newly disclosed vulnerabilities.</p>
 						<h5>Attacks</h5>
 						<ul>
-							<li>Focused spear-phishing campaigns against key personnel.<li>
+							<li>Focused spear-phishing campaigns against key personnel.</li>
 							<li>Rapid exploitation of vulnerabilities shortly after public disclosure ("N-day" exploitation).</li>
 							<li>Man-in-the-middle (MitM) attacks against poorly secured communications.</li>
 							<li>Injection of malicious code into development pipelines.</li>

_sass/base.scss

@@ -438,8 +438,6 @@ a:hover {
 	margin-bottom: 50px;
 }
 
-
-
 .powered-by .card {
 	display: flex;
 	flex-direction: column;