1

Asset & Change Management — Tags, RFC, CAB, Maintenance Windows

You can't defend what you don't know you have. Asset management ensures every device on the network is tracked, inventoried, and documented. Change management ensures every modification to those assets is planned, approved, tested, and reversible — preventing uncontrolled changes that increase risk.

Asset tagging

Asset tags
A unique ID assigned to each asset, correlating it to an inventory database record. Can be a barcode or RFID tag. The database record includes: vendor, model, serial number, asset ID, location, assigned user, value, and service history. If a tagged device goes missing, you know what was on it and who had it last.
Asset records
Beyond just tracking existence, records capture the configuration state of each asset — what software is installed, what patches are applied, what changes have been made. This is the foundation for understanding your attack surface and for incident response ("what was on that machine when it was compromised?").

Change management process

RFC
Request for Change — document listing the reason for the change and the procedures to implement it, including expected downtime, rollback plan, and test results. Every change starts here.
Categorise
Major / Significant / Minor / Normal — classify by potential impact and risk. Higher categories require more senior approval. Normal/minor changes may be approved by a supervisor; major changes go to the CAB.
CAB
Change Advisory Board — technical and management leaders who evaluate major/significant changes, weigh cybersecurity risk against business impact, and schedule them into maintenance windows.
Rollback plan
If it breaks, can we undo it? Every RFC must include a rollback/remediation plan — how to return to the last known-good state if the change causes unexpected problems. No rollback plan = no change approval.
Maintenance window
Scheduled authorised downtime — typically Saturday midnight to 4 AM in most organisations. All approved changes execute during this window to minimise business impact. Emergency changes need a special window approved separately.
Exam context — critical patch + change management: A critical patch drops at 11 AM. Should you immediately apply it? Not necessarily. Consider: analyse the risk → test in staging → get emergency window approved for 9 PM tonight → apply with team present and rollback ready. Balancing urgency against business interruption is the right answer. Don't jump to "patch immediately" without considering business impact.
2

Network Architectures — Physical, VPN, SDN & SASE

Physical networks
Cabling, switches, APs
Traditional wired and wireless infrastructure. Primary risk: physical access. Someone plugging a Wi-Fi pineapple into an open switch port can extend your wired network wirelessly to the car park. Physical security controls (locks, cameras, guards, badge access to comms closets) are the countermeasure.
VPN
Encrypted tunnel over internet
Extends the corporate network to remote locations via an encrypted tunnel. The internet path is secured by end-to-end encryption. The real vulnerability: the remote location. The laptop in a hotel room is now part of the corporate network — anyone looking over the user's shoulder can see corporate data. Deperimeterisation risk.
SDN
Software-defined networking
APIs and programmable hardware virtualise the network. Enables rapid automated changes, elastic scaling, and easy forensic data collection (everything is code = easy to capture). Challenge: changes happen so fast that human administrators struggle to keep up. Rogue virtual devices are harder to detect than physical hardware.
SASE
Secure Access Secure Edge
Combines WAN capabilities with network security services delivered from the cloud. Addresses distributed users (remote workers, branch offices, mobile). Typically includes: firewall, VPN, zero-trust network access, and CASB. AWS VPC, Azure Virtual WAN, Google Cloud Interconnect are aligned (not identical) implementations.

SDN — Three planes

Control Plane
How should traffic move?
Makes decisions about traffic prioritisation, security, and routing. Defines policy. Answers "where does this packet go and with what priority?"
Data Plane
Actually moves the traffic
Handles actual switching and routing of packets. Implements ACLs. Executes the control plane's decisions. The "fast path" where traffic flows.
Management Plane
How is the network configured?
Monitors traffic conditions and network status. Allows configuration changes and administrative oversight. Sets the policy that the control plane uses.
3

Segmentation — Four Types

Segmentation divides a network into separate zones, applying different security measures to each group. By isolating systems based on function, you contain breaches — an attacker who compromises one segment can't freely pivot to all others.

Air Gap / System Isolation
No network connection at all
Physically separates a network from all others — no cables, no wireless, no connections. Data transfer requires physical media (USB drive, CD). Eliminates network-based attack paths entirely. Management intensive: every update requires physical access.
Use case: nuclear reactor controls, classified systems, critical ICS. Stuxnet lesson: even air-gapped systems can be infected via infected USB media — the air gap doesn't protect against the transfer mechanism.
Physical Segmentation
Separate physical switches per segment
Each segment has its own dedicated switch — devices on Switch A cannot reach devices on Switch B without going through a router. Creates definitive physical isolation. Expensive: one switch per segment.
Use case: small networks where cost is acceptable, or when the highest assurance of isolation is required and virtual segmentation is insufficient.
Virtual Segmentation (VLANs)
Software-defined segments on one switch
One physical switch can simulate many logical switches using VLANs. Devices in different VLANs cannot communicate without going through a router/firewall with ACLs. Cost-efficient — 96-port switch can host dozens of segmented VLANs.
Use case: enterprise networks — wireless VLAN, guest VLAN, server VLAN, management VLAN, all on one physical switch with VLAN-based isolation.
Zones & ACLs
Logical groups with enforcement rules
Zones are logical groupings where all hosts share the same security configuration. ACLs (access control lists) define what traffic can flow between zones — specifying permitted IP addresses, ports, and directions. The firewall enforces zone-to-zone rules.
Use case: inside zone (trusted), screened subnet / DMZ (semi-trusted), outside zone (untrusted). ACLs define what each zone can send to and receive from the others.
4

Screened Subnet, Jump Box & Bastion Hosts

Network zone diagram

Three-Zone Network Architecture
Outside Zone
Internet
Untrusted
External users
🔥 FW1
Screened Subnet (DMZ)
Web server
Email server
Proxy server
Jump box
🔥 FW2
Inside Zone
Workstations
Internal servers
Active Directory
File shares
🔴 Outside zone → untrusted, internet-accessible 🟡 DMZ/Screened subnet → semi-trusted, internet-facing services 🔵 Inside zone → trusted, invisible to outside

Screened subnet (DMZ)

A screened subnet is a network segment isolated from both the inside network and the internet by firewalls. It hosts internet-facing services — servers that accept inbound connections from the outside world. The inside network remains invisible to external scanning. Even though these are your own servers, treat them as semi-trusted: they could be compromised at any time.

What belongs in the DMZ
Web servers, email servers, proxy servers, remote access servers, DNS servers (public), communication services. Anything providing public services or extranet capabilities. Never put Active Directory, internal file shares, or databases directly in the DMZ.
Bastion hosts
DMZ servers configured with only the services they need to perform their public function — nothing else. No Active Directory, no internal services, no extra software. Minimised attack surface makes compromise less impactful. Every DMZ host should be a bastion host.
Internet-facing hosts
A host or server that accepts inbound connections from the internet without the client needing to initiate contact first. Web servers, email servers, VPN concentrators. If an external user can reach it unsolicited, it's internet-facing — it belongs in the DMZ, not the inside network.

Jump box

A jump box is a hardened server inside the DMZ (or between the inside network and DMZ) that provides the only authorised path for administrators to manage DMZ hosts. The inside network connects to the jump box; the jump box connects to the DMZ servers. Never connect directly from the inside network to DMZ hosts without going through the jump box.

Jump box design
Minimal software — only what's needed for remote administration (SSH client, remote desktop). Heavily hardened. Can be a physical machine or a VM (VMs are preferred because you can rebuild from a known-good image quickly). Admins connect inside → jump box → DMZ server.
Jump box security
This is the single authorised path into the DMZ from the inside network. If the jump box is compromised, the attacker has access to all DMZ hosts. It must be the most hardened machine on the inside network. Apply MFA to access it. Log all sessions on it.
Pivot detection: Put an IDS between the screened subnet and the inside network. A compromised DMZ host that tries to connect inward is using the DMZ as a pivot point — a classic attack technique. Monitor and alert on any inbound connections from the DMZ to the inside zone that haven't been explicitly permitted.
5

Virtualization — VDI, Containers, VM Sprawl & Virtual Networks

VDI — Virtual Desktop Infrastructure
User desktops in the cloud
Personal computing environment separated from the physical device — the desktop runs on a cloud server, the user's device is just a display. Processing happens server-side. Advantage: centralised patching, no data stored locally. Disadvantage: if the server or network goes down, users can't work at all — single point of failure.
Containerisation
Lightweight isolated app environments
Containers share the host OS kernel — no separate OS per container. Much more resource-efficient than VMs. Containers are logically isolated by default (no communication without explicit networking). Critical security risk: if the host OS is compromised, all containers on that host are compromised simultaneously.
Container security risk: One hypervisor or host OS compromise = all VMs/containers on that host are compromised. Separate internal network VMs and DMZ VMs onto different physical servers to prevent cross-contamination. VM escape attacks and hypervisor vulnerabilities can break container/VM isolation — keep the hypervisor itself patched and hardened.

Virtual infrastructure security concerns

VM Sprawl
VMs being provisioned without proper change control. Because VMs are easy to create, people spin them up and forget to decommission them. Each abandoned VM is a running OS with potential vulnerabilities on the network. Enforce change management for VM creation and maintain a VM inventory.
Virtual networks
Virtual switches in hypervisors don't always behave like physical switches — they may fail to properly isolate traffic between VMs. For sensitive segmentation, connect each VM to a dedicated physical NIC. Keep internal network VMs and DMZ VMs on separate physical hypervisor hosts.
Management interface
The centralised hypervisor management platform (e.g. vCenter) controls all VMs. If compromised, it gives access to everything. Apply separation of duties: a virtualisation team manages the hypervisor, a separate server admin team manages the VMs running on top of it.
Resource exhaustion
A physical host with 64 GB RAM running VMs at 4 GB each can host 16 VMs. Spinning up a 17th causes overcommitment — performance degrades or VMs crash. Monitor host resource utilisation continuously to prevent inadvertent self-inflicted availability issues.
6

Honeypots & Active Defense

Active defense is the practice of responding to threats by deceiving or degrading the threat actor's capabilities — engaging the adversary rather than purely defending. This ranges from passive deception (honeypots) to aggressive counter-attacks (hack back).

🍯 Honeypot
A single host or server set up to look like an attractive target. Left intentionally unpatched, filled with fake data, exposed to the internet. Lures attackers away from real assets. Allows analysts to watch attacker techniques, tools, and procedures without them knowing they're being observed. Generates real-world TTPs for threat intelligence.
🌐 Honeynet
An entire fake network designed to look like a real company's infrastructure. Used by security research firms to study attacker behaviour at scale. Provides data for TTP attribution — "this malware/technique matches APT28's known tooling." Outputs threat intelligence shared with the wider community.
🎭 Annoyance Strategies
Waste attacker time and resources through obfuscation. Examples: bogus DNS entries (attacker scans for servers that don't exist), decoy directories on web servers (confidential/, financial/), port triggering (redirect attacker to wrong service), fake file shares. While they're wasting time on decoys, they're not attacking real assets.
⚔ Hack Back
Using offensive/counterattacking techniques to identify and degrade the attacker's capabilities (e.g. DoS against their C2 server). Rarely permitted and legally risky in most jurisdictions. In the US, hacking back is illegal regardless of who attacked you first. Only government/military actors typically have legal authority. Legal and reputational implications must be thoroughly evaluated before considering this option.
⚠ Not recommended for most organisations — legal risk is significant

Attribution

Attribution is the identification and publication of an attacker's TTPs as useful threat intelligence. Honeynets help security researchers (like FireEye/Mandiant) build APT profiles: "we believe this attack is attributable to APT28 based on their known tooling, techniques, and infrastructure" — connecting specific malware, C2 infrastructure, and tactics to known threat actors.

7

Deperimeterisation & Zero Trust

Deperimeterisation is the removal of a clear boundary between your organisation and the outside world. Cloud adoption, remote work, mobile devices, and outsourcing have all pushed corporate data and users outside traditional office boundaries. A traditional perimeter firewall no longer protects them.

Drivers of deperimeterisation

Mobile devices
Smartphones and tablets connect to your network over cellular, home WiFi, hotel networks, and coffee shop networks — all outside your control. Each external network introduces risk that returns to the corporate network with the device.
Cloud migration
Data in AWS, Azure, Google Cloud, or SaaS platforms is outside your network perimeter entirely. You can't protect it with a perimeter firewall. Data-level controls, encryption, and IAM must protect it directly.
Remote work
Employees connecting from home, hotels, and co-working spaces. VPNs provide encrypted transport but the physical environment is uncontrolled. Who else is in the room? Is the local network trustworthy?
Outsourcing
Contractors and partners need access to systems and data. They're outside your perimeter, using their own devices and networks. Every contractor access point is a perimeter extension you don't fully control.

Zero trust — the response to deperimeterisation

Traditional Perimeter Model ❌
Everything inside the firewall is trusted. Once you authenticate at the perimeter, you have access. A VPN session = trusted network access. An attacker who gets inside the perimeter has free lateral movement. Assumes: internal = safe.
Zero Trust Model ✓
Nothing is trusted by default — inside or outside. Every access request is verified: Who is asking? What do they want? Where are they? Why do they need it? How are they connecting? Authenticate continuously. Verify every resource access. Assume breach.
Microsegmentation
Create microperimeters within the network. Every time a user or device crosses a segment boundary (inbound or outbound), they're re-authenticated and re-authorised. No free lateral movement — every hop requires a new check.
Zero trust checks
Not just authentication (who are you?) but also: What do you want to access? Where are you requesting from? Why at this time? How are you connecting? All five questions evaluated continuously, not just at login.
Layer 7 threat prevention
Zero trust operates at the application layer — inspecting the content and context of requests, not just source/destination IPs. Enables fine-grained control: this user can read this document type but not download it.
Zero trust and VPN: A VPN provides encrypted transport, but once connected the traditional VPN grants broad network access. Zero trust VPN replaces this with per-resource access: you authenticate to the VPN, but you then separately authenticate and authorise each resource you want to access. No blanket "you're on the VPN so you can reach everything."

Exam

Quick Reference Cheat Sheet

Asset & change management
Asset tags = barcode/RFID ID + database record (vendor/model/serial/location/user/value/history). RFC = Request for Change (reason + procedures + rollback plan). CAB = Change Advisory Board (approves major/significant). Maintenance window = scheduled authorised downtime. Emergency change = test first, then special window. Rollback plan required for every change.
Network architectures
Physical = cabling/switches (risk: open switch port → Wi-Fi pineapple). VPN = encrypted tunnel (risk: deperimeterisation → shoulder surfing). SDN = software-defined, 3 planes (Control=routing decisions, Data=moves traffic, Management=config). SASE = SD-WAN + cloud security (AWS VPC, Azure Virtual WAN, Google Cloud Interconnect).
Segmentation types
Air gap = no physical connection (nuclear plants, ICS). Physical = separate switches per segment. Virtual = VLANs on one switch (same effect, lower cost). Zones + ACLs = logical groups with firewall rules between them. ACLs = list of IP/port combinations allowed or denied per zone boundary.
Screened subnet / DMZ
Screened subnet = segment isolated by firewalls, accepts inbound from internet. Internet-facing hosts = servers accepting unsolicited inbound connections. DMZ contains: web, email, proxy, remote access. Bastion host = minimal services, hardened. Inside zone = invisible from outside. Jump box = hardened admin access path inside→DMZ. IDS between DMZ and inside zone to detect pivoting.
Virtualisation
VDI = cloud desktops, centralised management, single point of failure if server/network down. Containers = shared host OS kernel, lightweight, logically isolated — host OS compromise = all containers compromised. VM sprawl = uncontrolled VM proliferation (enforce change control). Virtual networks: don't rely solely on virtual switches for sensitive isolation — use dedicated physical NICs or separate physical hosts.
Active defense
Honeypot = single fake server luring attackers. Honeynet = entire fake network for research + attribution. Attribution = identifying attacker TTPs/identity from observed behaviour. Annoyance strategies: bogus DNS, decoy directories, port triggering/spoofing. Hack back = counterattack — illegal for most organisations in most jurisdictions. Legal/reputational risk must be evaluated before any active offense.
Deperimeterisation & zero trust
Deperimeterisation = no clear network boundary (cloud + mobile + remote work). Zero trust = verify everything, trust nothing by default (inside OR outside network). Checks: Who / What / Where / Why / How for every access request. Microsegmentation = microperimeters with re-auth at every boundary crossing. Traditional model = inside=trusted. Zero trust = no one is trusted until verified continuously.