SkarpChapter 9 of 25
Mitigation Techniques: From Hardening to User Training
Turn knowledge of threats and vulnerabilities into action by selecting practical mitigation techniques that show up again and again on the exam and in real environments.
From Vulnerabilities to Mitigations: The Big Picture
From Weaknesses to Actions
You have seen how vulnerabilities and indicators of malicious activity look. Now we focus on what to actually do: practical mitigation techniques that reduce real risk.
Common Mitigation Families
Again and again you will use: patching and updates, system and network hardening, secure configuration baselines, segmentation, encryption, access control, and user training.
What the Exam Expects
Security+ expects you to map threats to mitigations, explain how baselines and hardening reduce attack surface, and prioritize actions using likelihood and impact.
Think Like a Junior Analyst
Imagine your manager shows you findings from a hybrid environment and asks: "What should we do next?" This module trains you to answer that clearly and confidently.
Mitigation and Security Controls: Foundations You Must Know
What Is a Security Control?
A security control is any measure we use to reduce risk. On the exam, questions often ask you to identify "what type of control" a given mitigation represents.
The 10 Control Types
Memorize this list in order: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Common Control Examples
Firewall rules are technical and preventive; policies are managerial and directive; awareness training is operational, preventive, and deterrent; CCTV is physical and detective.
Linking to CIA
Each control mainly supports confidentiality, integrity, or availability. Thinking in terms of control type plus CIA will help you quickly spot best-fit answers.
System and Network Hardening: Reducing the Attack Surface
What Is Hardening?
Hardening is the process of making a system more resistant to attack by reducing its attack surface: fewer services, ports, and default settings to exploit.
Remove What You Do Not Need
Uninstall unused apps, disable legacy protocols like Telnet and FTP, and turn off sample or test services that do not support a real business need.
Fix Default Configurations
Change default passwords, disable unneeded default accounts, and remove default shares or sample web apps that attackers love to abuse.
Least Functionality and Privilege
Enable only the features required (least functionality) and grant only the permissions needed (least privilege) to users and services.
Harden Network Devices Too
Disable unused switch ports, secure management interfaces, and use SSH/HTTPS for administration. These are classic mitigation techniques on the exam.
Secure Configuration Baselines and Configuration Management
Why Baselines?
Hardening one system helps, but you need consistency. A secure configuration baseline defines the approved secure settings for each asset type.
What a Baseline Includes
Typical items: OS version and patches, services and ports, local policies, logging, endpoint protection, and encryption requirements such as full-disk encryption.
Keeping Systems Aligned
Configuration management tools and MDM enforce baselines, detect drift, and help you roll out secure settings to many devices at once.
How It Shows Up on Exams
If a scenario asks how to ensure all servers stay hardened or how to spot unauthorized changes, "implement secure configuration baselines" is often the best answer.
Worked Scenario: Hardening and Baselines in a Hybrid Environment
The Environment
Imagine a company with on-prem file servers, cloud web servers, remote laptops, and some IoT/OT devices. A scan finds weak protocols, defaults, and missing encryption.
Mitigating on Servers
Create Windows and Linux baselines: disable SMBv1 and guest access, remove unused packages, turn off FTP, and secure SSH management with strong authentication.
Mitigating on Endpoints
For laptops, require full-disk encryption, remove local admin where feasible, enforce EDR, and configure automatic patching to reduce attack surface.
Mitigating IoT and OT
Change default passwords on IoT/OT, place them on a separate VLAN, and limit traffic with firewall rules. Combine hardening, baselines, and segmentation.
Segmentation, Isolation, and Encryption as Core Mitigations
Why Segment and Isolate?
Segmentation breaks the network into zones with controlled traffic. Isolation keeps high-risk or sensitive systems separate to limit lateral movement.
Segmentation Examples
Use VLANs and firewalls to separate user LAN, server LAN, OT network, and DMZ. Only allow specific, justified flows between segments.
Isolation Examples
Use jump servers for admin access, separate admin networks, sandbox test environments, and quarantine networks for risky or noncompliant devices.
Encryption In Transit and At Rest
Use TLS and VPNs to protect data in transit; use full-disk encryption, database encryption, and encrypted backups to protect data at rest.
Recognizing Exam Clues
Protect data over untrusted networks? Think encryption in transit. Limit impact of a host compromise? Think segmentation or isolation.
Security Awareness and Training as a Mitigation
Humans as a Control
Many breaches start with a user action. Security awareness and training is a real mitigation that changes behavior and reduces user-driven risk.
Phishing and Social Engineering
Train users to spot suspicious emails and calls, avoid unknown links, verify unusual requests out-of-band, and report incidents quickly.
Role-Based Training
Give extra training to admins, developers, and executives. For example, teach developers secure coding practices to avoid common application flaws.
Policies and Simulations
Make sure users understand acceptable use and reporting policies, and reinforce lessons with simulated phishing and short refreshers.
When Training Is the Best Answer
If a scenario describes repeated user mistakes or social engineering success, targeted awareness training is often the correct mitigation on the exam.
Risk-Based Prioritization: Choosing What to Do First
You Cannot Fix Everything Today
Risk-based prioritization means deciding which mitigations to implement first using likelihood and impact as your main guides.
Likelihood and Impact
Likelihood is how probable exploitation is; impact is how damaging it would be. Focus on items that are both high likelihood and high impact.
Other Prioritization Factors
Consider exposure (internet-facing vs internal), existing compensating controls, and the effort vs benefit of each mitigation.
Avoid Common Exam Traps
Do not pick low-impact actions like updating documentation when a critical, exposed vulnerability is present. Fix the biggest risks first.
Thought Exercise: Prioritizing Mitigations
Work through this short scenario to practice risk-based thinking.
You are given the following findings from a vulnerability assessment:
- Critical vulnerability on the public VPN appliance that allows remote code execution. A patch is available.
- Medium-severity missing patches on several internal file servers that are only accessible from the internal LAN.
- Users frequently clicking on phishing links in simulated campaigns, but no major incidents yet.
- Outdated documentation for the incident response plan.
Task 1: Rank these from highest to lowest priority for immediate mitigation (today or this week). Write down your order.
Task 2: For each item, note:
- Likelihood (H/M/L)
- Impact (H/M/L)
- One realistic mitigation.
Suggested reasoning (compare with your notes):
- Item 1: High likelihood (internet-exposed, public exploit likely), high impact (VPN compromise). Mitigation: emergency patching, temporary access restrictions, enhanced monitoring.
- Item 3: Medium likelihood (simulations show susceptibility), potentially high impact (future real attack). Mitigation: targeted awareness training + email filtering tuning.
- Item 2: Medium likelihood, medium impact (internal only, but still important). Mitigation: scheduled patching window.
- Item 4: Low likelihood, medium impact (matters when an incident occurs). Mitigation: update documentation after critical technical issues.
Check whether your ranking aligns roughly: 1 > 3 > 2 > 4. If it does, you are thinking like the exam and like a real analyst.
Quiz 1: Mapping Threats to Mitigations
Test your ability to pick the most appropriate mitigation.
A company experiences multiple successful phishing attacks where users enter credentials into fake login pages. The environment already has email filtering and MFA in place. Which additional mitigation is MOST appropriate to reduce this specific risk?
- Deploy full-disk encryption on all laptops
- Implement targeted security awareness training with simulated phishing
- Increase the length of server administrator passwords to 20 characters
- Move all public-facing web servers into a DMZ segment
Show Answer
Answer: B) Implement targeted security awareness training with simulated phishing
The main problem is users falling for phishing despite technical controls. The best additional mitigation is targeted security awareness training with simulated phishing to change user behavior. Full-disk encryption protects data at rest, longer admin passwords help other threats, and moving web servers into a DMZ does not directly address credential harvesting via phishing.
Quiz 2: Baselines and Hardening
Check your understanding of secure configuration baselines.
An organization wants to ensure that all new Windows servers are deployed with the same hardened settings and that any unauthorized configuration changes are detected. Which of the following BEST meets this goal?
- Conducting annual penetration tests against production servers
- Implementing secure configuration baselines with configuration management
- Requiring developers to follow secure coding guidelines
- Enabling full-disk encryption on all servers
Show Answer
Answer: B) Implementing secure configuration baselines with configuration management
Secure configuration baselines, enforced through configuration management, ensure consistent hardened settings and allow detection of unauthorized changes. Penetration tests and secure coding address different concerns, and full-disk encryption protects data at rest but does not ensure consistent configurations.
Key Term Review: Mitigation Techniques
Flip through these cards to reinforce core concepts from this module.
- Hardening
- The process of making a system more resistant to attack by reducing its attack surface, such as disabling unnecessary services, changing defaults, and enforcing least functionality and least privilege.
- Secure configuration baseline
- A standard, approved set of configuration settings for a specific asset type (such as a Windows server or router) used to ensure systems start and remain in a known secure state.
- Network segmentation
- Dividing a network into smaller zones or VLANs with controlled traffic between them, typically enforced by firewalls or ACLs, to limit lateral movement and contain breaches.
- Security awareness and training
- An operational, preventive, and deterrent control that teaches users how to recognize and respond to threats such as phishing, social engineering, and data handling risks.
- Risk-based prioritization
- Choosing which mitigations to implement first by considering the likelihood that a threat will occur and the impact it would have, focusing on high-likelihood, high-impact issues.
- Compensating control
- A security control that is used in place of a primary control when the primary control is not feasible, providing an equivalent or comparable level of protection.
- Encryption in transit vs at rest
- Encryption in transit protects data as it moves over networks (for example, TLS, VPNs), while encryption at rest protects stored data on devices or media (for example, full-disk encryption, database encryption).
- Least privilege
- A principle of access control where users and services are granted only the minimum permissions they need to perform their tasks, reducing potential damage from compromise or error.
Connecting Mitigation to Vulnerability Management and Incident Response
Mitigation in Vulnerability Management
You discover vulnerabilities, prioritize them, apply mitigations like patching and hardening, and then verify they worked, feeding lessons into secure baselines.
Mitigation in Incident Response
During incidents, segmentation and isolation contain spread, encryption limits data exposure, and baselines and logs help you see what changed.
Lifecycle Thinking on the Exam
Before incidents, focus on preventive mitigations; during incidents, focus on containment; after incidents, improve hardening, baselines, and training.
Next Steps in Your Study Path
As you continue with Skarp, diagnostics, mock exams, and spaced review will reinforce these mitigation patterns until they are automatic for you.
Key Terms
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- hardening
- The process of making a system more resistant to attack by reducing its attack surface, such as disabling unnecessary services, changing defaults, and enforcing least functionality and least privilege.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- attack surface
- The sum of all the different points where an attacker could try to enter or extract data from a system or environment.
- least privilege
- A principle where users and services are granted only the minimum permissions they need to perform their tasks.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- encryption at rest
- Cryptographic protection applied to stored data on devices or media, such as full-disk encryption or database encryption.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- compensating control
- A security control used in place of a primary control when the primary control is not feasible, providing an equivalent or comparable level of protection.
- network segmentation
- Dividing a network into smaller zones or VLANs with controlled traffic between them to limit lateral movement and contain breaches.
- encryption in transit
- Cryptographic protection applied to data as it moves over networks, such as TLS or VPN tunnels.
- risk-based prioritization
- Choosing which mitigations to implement first by considering likelihood and impact, focusing on high-likelihood, high-impact issues.
- secure configuration baseline
- A standard, approved set of configuration settings for a specific asset type used to ensure systems start and remain in a known secure state.
- security awareness and training
- An operational control that educates users about security risks and safe behaviors, reducing the likelihood of successful social engineering and user-driven threats.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.