2.3 Mitigation techniques
📘CompTIA Security+ SY0-701
Mitigation techniques are methods used by cybersecurity professionals to reduce or eliminate security risks in systems, networks, and applications. These techniques help protect against threats and vulnerabilities that could lead to data breaches, malware infections, or unauthorized access.
This section covers five key mitigation methods you must understand for the Security+ exam:
Application Allow Listing, Isolation, Patching, Encryption, and Monitoring.
1. Application Allow Listing
Definition:
Application allow listing (also called “whitelisting”) is a security control that permits only approved applications to run on a system.
Any software not on the list is automatically blocked from executing.
Purpose:
- Prevent unauthorized or malicious software (like ransomware or spyware) from running.
- Enforce strict control over what applications can be installed or executed on company devices.
How it works:
- The organization creates a list of trusted applications based on file hashes, digital signatures, or application names.
- The operating system or endpoint protection tool compares programs trying to run against the allow list.
- If the application matches an entry, it runs. If not, it’s blocked.
Benefits:
- Reduces malware infections.
- Prevents employees from installing unapproved software.
- Helps maintain compliance with company security policies.
Security+ Exam Tip:
If the question asks how to stop unapproved programs from running, the correct answer is application allow listing.
2. Isolation
Definition:
Isolation is a security technique that separates processes, systems, or applications from each other to prevent the spread of threats or unauthorized access.
Types of Isolation:
- Sandboxing:
- A sandbox is a controlled environment where suspicious applications or code can run safely without affecting the rest of the system.
- Used for testing unknown files, especially by malware analysts.
- Network Isolation (Segmentation):
- Separates networks or devices into different zones so that a compromise in one area does not spread to others.
- Example: Keeping internal servers on a separate VLAN from user workstations.
- Application Isolation:
- Runs applications in separate containers or virtual environments to prevent them from interfering with each other.
- Example: Using Docker containers or virtual machines.
Benefits:
- Limits the damage of malware or data breaches.
- Improves system stability and containment.
- Allows testing of untrusted software safely.
Security+ Exam Tip:
If a scenario describes running suspicious code in a safe environment, it refers to sandboxing or isolation.
3. Patching
Definition:
Patching means updating software, operating systems, or firmware to fix known vulnerabilities or bugs.
Purpose:
Hackers often exploit known vulnerabilities. Patching closes these holes and keeps systems secure and compliant.
Types of Patches:
- Security patches: Fix security flaws that attackers could exploit.
- Feature patches: Add or improve functionality.
- Bug fixes: Correct software errors or crashes.
Patch Management Process:
- Identify: Track available patches from vendors.
- Test: Verify that patches do not cause issues with existing systems.
- Deploy: Apply patches to production systems.
- Verify: Confirm the patch was installed correctly.
- Document: Keep records for auditing and compliance.
Best Practices:
- Use automated patch management tools (e.g., WSUS, SCCM, or cloud-based services).
- Prioritize critical security updates first.
- Apply firmware updates for network devices and hardware regularly.
Security+ Exam Tip:
If the question refers to fixing vulnerabilities or maintaining system security over time, patching is the right answer.
4. Encryption
Definition:
Encryption is the process of converting readable data (plaintext) into unreadable form (ciphertext) using a mathematical algorithm and a key.
It ensures that only authorized users with the correct key can read the data.
Purpose:
To protect data confidentiality — even if data is stolen or intercepted, it remains unreadable without the decryption key.
Types of Encryption:
- Data at Rest Encryption:
- Protects stored data (on hard drives, USBs, servers, or cloud storage).
- Example: BitLocker, VeraCrypt.
- Data in Transit Encryption:
- Protects data while it is moving across networks (such as web traffic or emails).
- Example: HTTPS, TLS, VPN encryption.
- Data in Use Encryption:
- Protects data while being processed in memory, such as using secure enclaves or confidential computing.
Common Encryption Methods:
- Symmetric Encryption: Same key for encryption and decryption (e.g., AES).
- Asymmetric Encryption: Public key encrypts, private key decrypts (e.g., RSA).
- Hashing: One-way encryption used for integrity verification (e.g., SHA-256).
Benefits:
- Protects sensitive information (like passwords and financial data).
- Helps meet compliance requirements (GDPR, HIPAA, etc.).
- Prevents data exposure during breaches.
Security+ Exam Tip:
If a question asks how to protect confidentiality of stored or transmitted data, the correct answer is encryption.
5. Monitoring
Definition:
Monitoring involves continuously observing systems, networks, and applications to detect and respond to suspicious activities, performance issues, or policy violations.
Purpose:
To identify attacks or anomalies early, before they cause major damage.
Common Monitoring Tools:
- SIEM (Security Information and Event Management):
- Collects and analyzes log data from multiple sources (firewalls, servers, endpoints).
- Detects patterns of attacks and triggers alerts.
- IDS/IPS (Intrusion Detection/Prevention Systems):
- IDS detects suspicious activity and sends alerts.
- IPS detects and automatically blocks malicious traffic.
- Endpoint Detection and Response (EDR):
- Monitors endpoints (PCs, laptops, mobile devices) for malware or abnormal behavior.
- Network Monitoring:
- Tools like Wireshark or Nagios help track network traffic, bandwidth, and performance.
Benefits:
- Provides visibility into network activity.
- Helps identify security incidents in real time.
- Supports compliance and auditing by keeping logs.
Best Practices:
- Configure alerts for critical events.
- Use baseline monitoring to identify abnormal patterns.
- Regularly review logs for potential threats.
Security+ Exam Tip:
If the question asks about detecting security incidents or unusual activity, the answer is monitoring or SIEM.
✅ Summary Table for Quick Review
| Technique | Purpose | Key Benefit | Security+ Focus |
|---|---|---|---|
| Application Allow Listing | Allow only approved apps to run | Prevents malware and unauthorized software | Stops unapproved applications |
| Isolation | Separate systems or apps | Limits spread of threats | Sandboxing, containerization |
| Patching | Fix software vulnerabilities | Reduces risk of exploitation | Keep OS and firmware updated |
| Encryption | Protect data confidentiality | Keeps stolen data unreadable | Protects data in transit/rest |
| Monitoring | Track system and network activity | Detects threats early | SIEM, IDS/IPS, EDR |
Final Exam Reminder:
For the SY0-701 exam, expect scenario-based questions where you’ll choose the most effective mitigation technique.
Be ready to match each technique to its purpose — for example:
- Stopping unknown programs → Application Allow Listing
- Testing suspicious files safely → Isolation (Sandboxing)
- Preventing data theft → Encryption
- Fixing vulnerabilities → Patching
- Detecting intrusions → Monitoring
