2.3 Mitigation techniques
📘CompTIA Security+ SY0-701
In cybersecurity, one of the most important goals is to reduce risk by limiting how much access or communication different parts of a network or system have with each other.
Two very effective techniques to achieve this are:
- Segmentation – dividing a network into smaller parts.
- Access control – controlling who or what can access specific systems or data.
Both help to contain threats, prevent unauthorized access, and protect sensitive data.
🧩 1. Network Segmentation
What is Segmentation?
Segmentation means dividing a network into smaller, isolated sections called segments or subnets.
Each segment has its own boundaries and security controls (like firewalls, VLANs, or routers).
Purpose of Segmentation
- Limit the spread of attacks: If one part of the network is compromised, attackers cannot easily move to other parts.
- Improve security visibility: You can monitor and control each segment separately.
- Protect sensitive data: Keep confidential data on a dedicated network with tighter controls.
- Enhance performance: Less traffic on each segment improves efficiency.
Types of Network Segmentation
1. Physical Segmentation
- Each network segment uses separate physical hardware, like switches, routers, and cables.
- Example in IT: The finance department’s computers are connected to their own switch, separate from other departments.
- Offers strong security, but is expensive and less flexible.
2. Logical Segmentation
- Uses software and configurations (like VLANs) to separate traffic, even on the same physical hardware.
- Easier and cheaper to implement.
- Example in IT: VLAN 10 for HR, VLAN 20 for IT, VLAN 30 for Guests, all running on one switch.
Segmentation Tools and Techniques
| Technique | Description | Used For |
|---|---|---|
| VLAN (Virtual LAN) | Logically separates devices on the same physical switch into isolated networks. | Internal network separation. |
| Subnets | Uses IP addressing to divide a network into smaller parts. | Control traffic routing and access. |
| Firewalls | Filters traffic between segments based on rules. | Enforce access policies between networks. |
| Access Control Lists (ACLs) | Define which traffic can pass between segments. | Restrict or allow communication. |
| Zero Trust Segmentation (Microsegmentation) | Breaks the network into very small zones, controlling access at the application or workload level. | Cloud and data center environments. |
Benefits of Segmentation
- Contain breaches: Attackers cannot easily move laterally within the network.
- Protect critical assets: Sensitive servers or databases can be isolated.
- Regulatory compliance: Many standards (like PCI DSS) require segmentation.
- Simplified management: Easier to apply and monitor security rules.
🔒 2. Access Control
What is Access Control?
Access control means deciding who or what can access a system, network, or data, and what actions they are allowed to perform.
It ensures that only authorized users or devices can access the right resources, at the right time, for the right reason.
Types of Access Control
1. Physical Access Control
- Controls who can enter a physical location (like a server room).
- Uses tools such as key cards, locks, or biometric scanners.
2. Logical (Technical) Access Control
- Controls access to digital resources like files, systems, or applications.
- Managed through operating systems, firewalls, and directory services (like Active Directory).
Common Access Control Methods
| Method | Description | Example in IT |
|---|---|---|
| DAC (Discretionary Access Control) | The resource owner decides who can access it. | A user shares a folder and sets permissions. |
| MAC (Mandatory Access Control) | Access is controlled by a central authority using classification levels (e.g., Secret, Confidential). | Used in government or military systems. |
| RBAC (Role-Based Access Control) | Access is based on roles within an organization. | An HR employee can access payroll data but not network configurations. |
| ABAC (Attribute-Based Access Control) | Uses multiple factors like user attributes, location, or time to decide access. | Access only allowed during work hours from the office network. |
| Rule-Based Access Control | Access is based on specific rules or policies set by an administrator. | Firewall rules or security policies. |
Access Control List (ACL)
An ACL is a set of rules that controls network traffic and user permissions.
It decides which users, systems, or network packets can access a resource and what kind of access they have.
Network ACLs
- Used in routers, firewalls, or switches.
- Control which IP addresses, protocols, or ports are allowed or denied.
- Example: Allow only port 443 (HTTPS) traffic to the web server, deny everything else.
File System ACLs
- Used in operating systems (like Windows or Linux).
- Define which users can read, write, modify, or execute a file or folder.
- Example: “User A can read a file, but User B cannot.”
Permissions
Permissions define specific actions a user or process can perform on a resource.
Common permission types:
- Read (R): View contents.
- Write (W): Modify or add data.
- Execute (X): Run a file or program.
- Full Control: Perform all actions.
In Windows or Linux systems, permissions are assigned to users and groups to ensure that each person only gets what they need — nothing more.
🧱 Combining Segmentation and Access Control
Segmentation and access control work together to build strong defenses.
- Segmentation divides and isolates systems.
- Access control restricts who can communicate or access each segment.
Example (IT context):
- A database server is placed in its own VLAN (segmentation).
- Only the web server is allowed to connect to it using port 3306 (access control via ACL).
- Database administrators have read/write access, while normal users do not (permissions).
This combination greatly reduces the attack surface and helps prevent lateral movement by attackers.
✅ Best Practices for the Exam
To remember key points for the Security+ exam:
| Concept | What to Remember |
|---|---|
| Segmentation | Divide networks to limit attacks and control traffic. |
| Physical Segmentation | Separate hardware for different networks. |
| Logical Segmentation | VLANs or subnets for traffic separation. |
| ACLs | Define which traffic or users are allowed or denied. |
| Permissions | Control actions like read, write, or execute. |
| Least Privilege Principle | Users get the minimum access needed for their job. |
| Role-Based Access | Access based on job roles, not individuals. |
| Microsegmentation | Fine-grained control, often used in cloud and virtualized environments. |
🧠 Exam Tip
Questions may ask:
- “Which technique prevents attackers from moving laterally across the network?”
→ Segmentation - “Which access control method assigns rights based on organizational role?”
→ RBAC - “Which device uses ACLs to filter traffic?”
→ Router or Firewall
🔍 Summary
- Segmentation keeps different network areas separate to protect sensitive data and limit threats.
- Access control ensures only authorized users and systems can access specific resources.
- ACLs and permissions are the tools used to enforce access control policies.
- Together, they are essential mitigation techniques that strengthen an organization’s security posture and are key concepts for the CompTIA Security+ SY0-701 exam.
