Six Mitigation Techniques β Quick Reference
| Technique | Primary Goal | Timing | What It Cannot Do |
|---|---|---|---|
| Patching | Eliminate known exploitable vulnerabilities before attackers use them | Before attack | Does not stop zero-day attacks (no patch exists yet); does not help if credentials are stolen |
| Encryption | Ensure stolen or physically accessed data is unreadable without the key | Before + after | Does not prevent data theft via network; does not help if encryption key is also stolen |
| Monitoring | Detect attacks in progress that preventive controls failed to stop | During attack | Does not prevent a breach; only detects it. Requires human or automated response to act on alerts. |
| Least Privilege | Limit what any single compromised account can access | Before + during | Does not prevent the initial compromise; does not help if a privileged account is the one stolen |
| Config. Enforcement | Prevent non-compliant devices from joining and contaminating the network | Before attack | Does not protect compliant devices from attack; only ensures devices meet a baseline before connecting |
| Decommissioning | Prevent data recovery from retired storage media | After use | Does not protect data while in active use; only addresses retirement-phase residual risk |
Patching Types β When to Deploy
Regular cadence. Microsoft Patch Tuesday = 2nd Tuesday of each month. Test in staging β approve β deploy via WSUS/SCCM/endpoint management. Most environments have 2β4 week deployment target.
Risk of skipping: Each month compounds β a system unpatched for 6 months has dozens of known exploitable CVEs.
Irregular cadence per vendor. Browsers (Chrome, Firefox, Edge), PDF readers, Java, Flash (historical), and productivity suites are among the most actively exploited attack surfaces.
Common gap: OS patching is often automated; third-party apps require explicit management and are frequently missed.
Irregular; from hardware manufacturers. BIOS/UEFI, NIC firmware, storage controller, GPU drivers. Often not covered by OS update mechanisms β require vendor tooling.
Risk: Firmware vulnerabilities can survive OS reinstalls and may be below EDR/AV visibility.
Triggered by active exploitation in the wild. Cannot wait for the next maintenance window. Bypasses normal testing cycle. Deploy within hours to days of vendor release.
Exam rule: For actively exploited zero-days, deploy immediately β the risk of running unpatched outweighs the risk of an incompatibility.
Three Encryption Layers β Comparison
| Layer | What Is Encrypted | Technology | Protects Against | Does NOT protect against |
|---|---|---|---|---|
| Full Disk (FDE) | Entire storage volume β OS, apps, user data, swap | BitLocker (Win), FileVault (Mac), LUKS (Linux) | Physical drive theft; unauthorized drive removal; improper decommissioning | Network-based data theft; logged-in user context attacks |
| File-Level | Selected files or folders only | Windows EFS | Other OS accounts accessing the file; drive theft when user is not logged in | Attacker with access to the owning user's account (file auto-decrypts for the user) |
| Application-Level | Application's own stored data (vault file, DB columns, message store) | App-managed (password managers, DB column encryption, encrypted messengers) | Storage compromise at any layer below the app; backup theft; DB file theft | Attacker with access to the running application (data is decrypted in memory during use) |
Posture Assessment Flow
Decommissioning β Method Selection by Scenario
| Scenario | Recommended Method | Sufficient? |
|---|---|---|
| HDD moving to another internal system | Format drive before reassignment; verify no previous user data accessible | Yes β drive stays in organizational custody |
| HDD being donated, resold, or sent to e-recycler | NIST SP 800-88 Purge-level overwrite (multiple-pass, verified) | Yes for most data classifications |
| SSD with BitLocker/FileVault enabled | Cryptographic erase β destroy the BitLocker/FileVault key; ciphertext on drive is permanently unreadable | Yes β fastest and most reliable method for encrypted SSDs |
| SSD without FDE β needs to leave org | ATA Secure Erase command (manufacturer-level) or physical destruction | Standard overwrite not reliable on NAND flash β use manufacturer tool or destroy |
| Drive with classified / highly sensitive data (PHI, PII, financial) | Physical destruction β shred, degauss + shred, or incinerate | Yes β no technique is more certain than physical destruction |
| Discarding without any sanitization | Never acceptable for any organizational device | No β deleted/formatted drives are recoverable with free tools |
Least Privilege β Standard vs. Incorrect Account Model
- User's account has local administrator rights
- Malware executes in user context β inherits admin rights
- Malware can install drivers, disable AV, modify system
- Malware can persist across reboots via system services
- Attacker has full control of the system from day one
- User's daily account has no admin rights
- Malware executes in user context β limited to user's files
- Malware cannot install drivers or modify system files
- Malware cannot disable security software
- Admin tasks: temporary elevation via UAC/sudo; rights revert after task