Domain 2: Threats, Vulnerabilities, and Mitigations Module 18 of 61

Mitigation Techniques and Controls

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations C — Malicious Activity and Mitigations 14–18 minutes

What the Exam Is Really Testing

Everything you studied in the previous modules — the threats, the vulnerabilities, the attacks — all leads to one question: what do you do about it?

This module is where Domain 2 comes together. The exam will describe a specific problem and ask you to pick the right control.

Given a specific threat or vulnerability scenario, select the mitigation technique that most effectively reduces the risk — and explain why it is the best choice over alternatives.

Choosing the right mitigation for the right scenario is what the exam ultimately tests.

Network Segmentation

Segmentation divides the network into isolated zones, limiting an attacker's ability to move laterally after gaining initial access.

Segmentation strategies:

  • VLANs — Logically separate network traffic at Layer 2, isolating departments or security zones
  • Subnets — Divide the network at Layer 3 with routing controls between segments
  • Firewalls — Enforce access policies between network segments
  • DMZ — Create a buffer zone for public-facing services, separating them from internal resources
  • Microsegmentation — Apply granular policies at the workload or application level in virtualized and cloud environments

On the exam, segmentation is the correct answer when the scenario involves lateral movement, blast radius reduction, or isolating sensitive systems from general network access.

Access Control

Access Control Lists (ACLs)

ACLs define which users, groups, or systems can access specific resources and what actions they can perform. They operate at the network level (router ACLs filtering traffic) and the file system level (permissions on files and directories).

Network ACLs control traffic flow between segments. File system ACLs control who can read, write, or execute files. Both should follow the principle of deny by default, allowing only explicitly authorized access.

Permissions

Permissions define granular access rights to resources. Effective permission management requires:

  • Role-based access control (RBAC) — Assign permissions to roles, then assign users to roles
  • Regular access reviews to remove stale permissions
  • Separation of duties for critical operations
  • Just-in-time access for privileged operations

Application Allow Listing

Application allow listing permits only approved applications to execute. Everything not on the approved list is blocked by default.

This is the opposite of blocklisting (blacklisting), which blocks known-bad applications and allows everything else. Allow listing is significantly more secure because it prevents unknown malware from executing, even if it has never been seen before.

The exam favors allow listing as the stronger control. In scenarios where preventing unauthorized software execution is the goal, allow listing is almost always the correct answer.

Isolation

Isolation separates a compromised or high-risk system from the rest of the environment to prevent the spread of damage.

Isolation contexts:

  • Network isolation — Disconnecting a compromised system from the network during incident response
  • Application sandboxing — Running untrusted code in a restricted environment where it cannot affect other systems
  • Air-gapped networks — Physical isolation for the highest-security environments with no network connectivity
  • Container isolation — Running applications in containers that limit access to host resources

On the exam, isolation is the correct answer when the scenario requires containing a threat or testing unknown code safely.

Patching

Patching is the most frequently tested mitigation on Security+ because unpatched vulnerabilities are the most commonly exploited attack vector.

Effective patch management requires:

  • Complete asset inventory — You cannot patch what you do not know exists
  • Prioritization — Patch critical vulnerabilities on internet-facing systems first
  • Testing — Validate patches in staging before production deployment
  • Automation — Use patch management tools for consistent deployment
  • Verification — Confirm patches applied successfully after deployment
  • Documentation — Track exceptions and compensating controls for unpatchable systems

When the exam asks about the most effective mitigation for a known vulnerability with an available patch, the answer is patching. Every time.

Encryption

Encryption protects data confidentiality by converting readable data into ciphertext that requires a key to decrypt.

Encryption applies to three data states:

  • Data at rest — Full disk encryption (BitLocker, FileVault), database encryption, file-level encryption
  • Data in transit — TLS/HTTPS for web traffic, VPN for network tunnels, SSH for remote access
  • Data in use — Emerging technologies that protect data while it is being processed

The exam tests whether you know which encryption type applies to which scenario. Data stolen from a laptop hard drive is a data-at-rest encryption issue. Data intercepted on a network is a data-in-transit encryption issue.

Monitoring

Monitoring provides visibility into system and network activity, enabling detection of threats that preventive controls miss.

  • SIEM — Security Information and Event Management aggregates logs from multiple sources and correlates events to identify threats
  • IDS/IPS — Intrusion Detection/Prevention Systems monitor network traffic for malicious patterns
  • EDR — Endpoint Detection and Response monitors endpoint behavior for indicators of compromise
  • Log management — Centralized logging ensures events are captured, stored, and available for analysis

Monitoring does not prevent attacks — it detects them. The exam distinguishes between preventive controls (which block attacks) and detective controls (which identify attacks in progress or after the fact).

Least Privilege

Least privilege grants users and systems only the minimum access needed to perform their function. No more.

Least privilege applies to:

  • User accounts — Standard user accounts for daily work, administrative access only when needed
  • Service accounts — Limited to specific resources and operations required
  • Applications — Run with minimum required permissions, not administrator access
  • Network access — Only the ports, protocols, and destinations needed

On the exam, least privilege is the answer when the scenario involves excessive permissions, overprivileged accounts, or unnecessary access that creates risk.

Input Validation and Secure Coding

Input validation prevents injection attacks, buffer overflows, and other application vulnerabilities by verifying that user input meets expected format, type, length, and range before processing.

Secure coding practices extend this principle:

  • Parameterized queries prevent SQL injection
  • Output encoding prevents XSS
  • Bounds checking prevents buffer overflows
  • Error handling prevents information disclosure
  • Secure defaults prevent misconfiguration

Device Hardening

Hardening reduces the attack surface of a system by removing unnecessary components and tightening configurations.

  • Change all default credentials immediately after deployment
  • Disable unnecessary services, ports, and protocols
  • Remove default accounts and sample applications
  • Apply security baselines and configuration benchmarks (CIS, DISA STIGs)
  • Enable logging and auditing
  • Configure host-based firewalls

Decommissioning

Decommissioning is the secure retirement of systems, devices, and data that are no longer needed.

  • Data sanitization — Securely wipe or destroy storage media to prevent data recovery
  • Certificate revocation — Revoke certificates associated with decommissioned systems
  • Access removal — Remove all accounts, credentials, and access grants associated with the system
  • Documentation — Update asset inventory and network diagrams

On the exam, decommissioning questions test whether you understand that removing a system from service requires deliberate security steps, not just unplugging it.

Pattern Recognition

When you see a mitigation question, match the threat to the control:

  1. What is the specific threat or vulnerability?
  2. What type of control addresses it? (preventive, detective, corrective)
  3. At what layer does the mitigation operate? (network, application, endpoint, data)
  4. Does the scenario require preventing, detecting, or responding?

Pattern shortcuts:

  • Lateral movement concern = segmentation
  • Known vulnerability with available fix = patching
  • Unauthorized software execution = application allow listing
  • Excessive user access = least privilege
  • Data theft from stolen device = encryption at rest
  • Injection attack = input validation
  • System retirement = decommissioning with data sanitization

Trap Patterns

Common traps:

  • Choosing detection when prevention is possible. If a preventive control exists (patching, allow listing), the exam usually prefers it over a detective control (monitoring, logging). Prevent first, detect what you cannot prevent.
  • Suggesting encryption as a universal fix. Encryption protects confidentiality, not availability or integrity alone. If the scenario is about system availability, encryption is not the answer.
  • Confusing allow listing with blocklisting. Allow listing is stronger because it blocks everything not explicitly approved. Blocklisting only blocks known threats and allows everything else, including novel malware.
  • Forgetting decommissioning procedures. Simply turning off a device is not decommissioning. Data remains on storage media, certificates remain valid, and access may persist.

Scenario Practice

Question 1

A ransomware attack compromises a workstation in the finance department and rapidly spreads to file servers, print servers, and other workstations on the same network segment. The entire finance department is affected within 30 minutes.

Which mitigation would MOST effectively limit the impact of a similar future attack?

Answer & reasoning

Answer: Network segmentation to isolate the finance department from other segments and limit lateral movement within the department

The ransomware spread rapidly because all systems were on the same network segment with no barriers to lateral movement. Segmentation would contain the blast radius by preventing the malware from reaching systems in other network zones.

Patching and anti-malware are also important, but segmentation addresses the specific problem of rapid lateral spread.

Question 2

A vulnerability scan identifies a critical remote code execution vulnerability in the organization's public-facing web server. A patch has been available for two weeks. The server hosts the company's primary e-commerce platform.

What should the security team do FIRST?

Answer & reasoning

Answer: Test the patch in staging and deploy it to the production web server as the highest priority

A critical RCE vulnerability on a public-facing server with an available patch is the highest-priority remediation scenario. The patch should be tested quickly and deployed. Every day the patch is not applied represents active risk exposure to the internet.

Compensating controls like WAF rules can provide temporary protection during testing, but the patch is the definitive fix.

Question 3

Users in the organization regularly install unauthorized browser extensions and third-party utilities on their workstations. Some of these installations have introduced malware into the environment. The IT team needs to prevent this without blocking legitimate business applications.

Which control is MOST appropriate?

Answer & reasoning

Answer: Application allow listing that permits only approved applications to execute

Application allow listing blocks all unapproved software by default, preventing unauthorized installations while allowing approved business applications. This directly addresses the problem of users installing unauthorized software.

Blocklisting would require knowing every malicious application in advance, which is impossible. User training helps but does not prevent the behavior technically.

Key Takeaway

There is no universal security control. Patching fixes known vulnerabilities. Segmentation limits blast radius. Least privilege reduces the damage from compromised accounts. Allow listing stops unauthorized execution where blocklisting cannot.

The exam tests whether you can pick the right tool for the right problem. Prevention beats detection when both are available.

Match the control to the threat. That is the entire exam.

Section C Review Review: Malicious Activity and Mitigations