Domain 2 of 5 · Chapter 5 of 6

Mitigation Techniques

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • The two jobs of a mitigation: shrink the surface or contain the threat
  • Hardening: the per-host mitigation bundle
  • Segmentation vs isolation vs least privilege: not interchangeable
  • Lifecycle ends: configuration enforcement and secure decommissioning

Common SY0-701 mitigations: what each one mitigates

TechniquePrimary jobWhat it mitigatesTypical implementation
PatchingSurface reductionExploitation of a known vulnerabilityVendor update / patch management cycle
SegmentationContainmentLateral movement between zonesVLANs, subnets, firewall zones
IsolationContainmentSpread from an already-infected hostQuarantine, sandbox, air gap
Least privilegeContainmentDamage from a compromised identity/processRole-based permissions, just-enough access
Application allow listContainmentExecution of unapproved/malicious codeAllow-list policy (e.g. WDAC, AppLocker)
Disable ports/protocolsSurface reductionExposure of unneeded servicesHost hardening, baseline config
Default-password changeSurface reductionUse of documented default credentialsHardening checklist / onboarding
Host-based firewall / HIPSSurface reduction + containmentUnwanted inbound/outbound traffic, host-level attacksEndpoint firewall, HIPS agent
EDR / endpoint protectionDetection + responsePersistence and post-compromise activity on the hostEDR agent with response actions
Encryption (at rest)ContainmentConfidentiality loss if media is stolenFull-disk / file-level encryption
Configuration enforcementSurface reductionDrift away from the hardened baselineGPO, MDM, NAC posture checks
DecommissioningSurface reductionOrphaned, unmanaged retired assetsCredential revocation + media sanitization

Decision tree

Vendor fix for a known vulnerability? Yes Patch primary; removes the flaw No fix yet / not patchable Goal: shrink THIS host's surface, or contain a breach? Shrink surface Harden the host disable ports/protocols, remove software, change defaults, encrypt Contain What does the stem emphasize? Prevent lateral movement (design) Segmentation VLANs, subnets, zones Cut off this infected host now Isolation quarantine, sandbox, air gap Identity has excess rights Least privilege access control / AC-6 Only approved code may run Application allow list WDAC / AppLocker Not a mitigation: detection-only controls Logging, IDS/HIDS, SIEM, and EDR's detect role shorten dwell time but neither shrink the surface nor contain the threat. Sustain hardening with configuration enforcement; retire assets via secure decommissioning.

Cheat sheet

  • Every mitigation either shrinks the attack surface or contains the threat
  • Patch first when a vendor fix exists; compensating controls only buy time
  • Detection shortens dwell time but is not itself a mitigation
  • Hardening is the per-host bundle of surface-reduction controls
  • HIPS sits inline and blocks; HIDS only watches and alerts
  • EDR detects and responds; it does not pre-empt attack surface
  • Segmentation contains lateral movement by partitioning the network
  • Isolation reactively cuts off one already-compromised host
  • Least privilege caps the blast radius of a compromised identity
  • Access control is how you enforce least privilege
  • Application allow lists let only approved code run
  • Disabling ports/protocols and removing software erase what could be attacked
  • Changing default passwords closes a publicly documented door
  • Encryption at rest contains data loss when storage is stolen
  • Configuration enforcement keeps the hardened baseline from drifting
  • Secure decommissioning revokes, sanitizes, then de-inventories
  • Media sanitization picks Clear, Purge, or Destroy by data sensitivity and reuse
  • A host firewall both reduces surface and contains: still a mitigation
  • A compensating mitigation is a stopgap, never the primary answer
  • Test a patch before production to avoid a self-inflicted outage

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. CompTIA Security+ (SY0-701) certification
  2. NIST SP 800-123, Guide to General Server Security Whitepaper
  3. NIST SP 800-53 Rev. 5, Security and Privacy Controls Whitepaper
  4. NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization Whitepaper