Choose Mitigation Techniques for Security+ (SY0-701)
Use segmentation, access control, hardening, isolation, patching, and related defensive choices correctly in Security+ scenarios.
This is where Security+ checks whether you can respond with the right defensive move instead of the loudest one. Strong mitigation answers reduce the actual attack path, respect the business constraint, and avoid adding unnecessary blast radius somewhere else.
The mitigation families CompTIA keeps using
| Mitigation | When it is strongest |
|---|---|
| Segmentation | limiting lateral movement or isolating sensitive assets |
| Access control | narrowing who or what can reach the resource |
| Configuration enforcement | maintaining approved secure state consistently |
| Hardening | reducing attack surface and insecure defaults |
| Isolation | containing risky systems or suspected compromise |
| Patching | removing known exploitable weaknesses |
What the exam is really testing
Security+ mitigation questions usually hide one harder judgment inside the wording:
- is the safest answer also the most practical answer
- is the prompt asking for the first move, the best long-term move, or the best compensating move
- is the problem about prevention, containment, visibility, or recovery
If you answer a “first move” question with a long-term architecture improvement, you can still miss the item even if the improvement is good.
Simple segmentation example
1User VLAN -> App VLAN -> Database VLAN
2Guest Wi-Fi -X-> Internal production VLAN
What to notice:
- segmentation is about controlling allowed communication paths
- a strong design reduces east-west spread, not only north-south traffic
- Security+ often rewards segmentation when the goal is containment or blast-radius reduction
How to choose the best first move
Ask these questions in order:
- Is the problem an active attack, a standing weakness, or both?
- Does the answer need to stop spread, reduce exposure, or remove the root cause?
- What constraint matters most: availability, speed, evidence, or least privilege?
That sequence helps you separate:
- isolation during an active incident
- patching for the underlying defect
- hardening to reduce future exposure
- segmentation to reduce future blast radius
Scenario chooser
| Scenario pattern | Strongest first direction |
|---|---|
| Active ransomware spread | isolate affected systems and reduce east-west communication |
| Repeated phishing with spoofed mail | SPF, DKIM, DMARC, filtering, and awareness together |
| Public admin portal exposed broadly | narrow access path, MFA, and logging |
| Critical system cannot be patched yet | compensating controls plus explicit risk tracking |
| Cloud data exposure through broad permissions | tighten IAM or resource policy before adding more monitoring |
Access control example
1ufw allow from 10.10.50.0/24 to any port 22 proto tcp
2ufw deny 22/tcp
What to notice:
- administrative access is restricted to one approved subnet
- the example reduces exposure rather than leaving management services open broadly
- Security+ often prefers narrow access over convenience
Common mistakes in mitigation reasoning
- selecting a detective control when the prompt says prevent or block
- choosing a perfect future-state redesign when the question asks for the next operational step
- forgetting business continuity when the environment is fragile, regulated, or safety-critical
- using one broad access grant to solve a narrow administration problem
Harder scenario question
A hospital cannot immediately patch a legacy imaging server because the vendor has not approved the update and downtime would interrupt patient care. The server sits on a flat internal network and recently showed suspicious connections to workstations. Which option is strongest first?
A. Leave the system unchanged until the vendor certifies the patch
B. Move the server into a restricted segment, tighten allowed communication paths, increase monitoring, and document the residual risk
C. Disable all logging to improve server performance during patient load
D. Grant all technicians local admin so troubleshooting is faster
Best answer: B. The strongest immediate move is a compensating-control package that reduces blast radius and improves visibility while the corrective patch remains unavailable.
Common traps
- choosing patching as the immediate answer when the question is about stopping lateral movement now
- choosing monitoring as the only answer when the scenario clearly needs prevention
- picking a broad firewall rule or broad access grant because it is faster
Quiz
Continue with 3. Security Architecture to move from threat-and-control reasoning into environment and design decisions.