Chapter 56 Β· Glossary

Mitigation Techniques β€” Glossary

Key terms across patching, encryption, monitoring, access control, and asset lifecycle.

Mitigation
The process of reducing the impact and likelihood of a security event. Mitigation operates at three points: before an attack (patching, encryption, least privilege, configuration enforcement prevent exploitation or limit data exposure); during an attack (monitoring detects it; least privilege contains the blast radius); after an attack (decommissioning prevents data recovery from retired media). No single mitigation technique is sufficient β€” layering compensates for each technique's individual failure modes. The collective goal is minimizing the window of exposure, the volume of accessible data, and the attacker's ability to persist undetected.
Patching
The application of software updates that fix security vulnerabilities, stability issues, and functional bugs. The highest-impact preventive mitigation: most successful real-world exploits target known vulnerabilities with available patches that were never applied. Patch categories: monthly OS patches (e.g., Microsoft Patch Tuesday β€” second Tuesday of the month); third-party application patches (browsers, PDF readers, productivity software β€” among the most exploited surfaces); firmware/driver patches from hardware manufacturers; emergency out-of-band patches for actively exploited zero-day vulnerabilities, deployed immediately outside normal maintenance windows.
Emergency Out-of-Band Patch
A security patch released outside a vendor's normal update schedule in response to a critical vulnerability that is being actively exploited in the wild. Cannot wait for the next Patch Tuesday or scheduled maintenance window. Requires a fast-track deployment process that bypasses normal testing timelines. The rationale: attackers reverse-engineer released patches to understand the underlying vulnerability and immediately target systems that have not yet applied the fix. The window between patch release and organizational deployment is a period of extremely elevated risk. Decision rule: for a critical actively-exploited CVE, the risk of running unpatched exceeds the risk of deploying without full testing.
Full Disk Encryption (FDE)
Encryption of an entire storage volume β€” operating system, application files, user data, swap files, and temporary files. All data on the drive is ciphertext to anyone without the encryption key. Protects against physical theft: an attacker who removes the drive from a lost laptop and connects it to another machine reads only ciphertext. Windows: BitLocker (requires TPM 2.0; optionally adds PIN as a second factor). macOS: FileVault 2. Linux: LUKS (dm-crypt). FDE is the mandatory baseline for all portable devices β€” laptops, removable drives, mobile workstations. A lost laptop without FDE is a data breach; the same laptop with FDE is a hardware loss only.
Windows EFS (Encrypting File System)
A Windows file-level encryption feature built into NTFS that encrypts individual files or folders. Encryption is tied to the user's Windows account credentials β€” the file decrypts transparently when the authorized user accesses it and remains ciphertext to all other accounts. Use case: protecting specific sensitive files on a shared system or adding a second encryption layer on top of FDE. Limitation: if the user's Windows account is compromised, EFS-encrypted files are accessible (the attacker logs in as the user and the files decrypt automatically). EFS protects against physical drive theft and other-account access, not against compromise of the account that encrypted the files.
Application-Level Encryption
Encryption managed by an application for its own stored data, independent of the underlying operating system, file system, or disk encryption. The application encrypts data before writing it to storage and decrypts on retrieval. The deepest encryption layer β€” survives failures of FDE and file-level encryption because it operates independently. Examples: password managers (encrypted vault file), end-to-end encrypted messaging local storage, database column-level encryption (individual fields like SSN or payment card numbers encrypted within the database engine). Exam note: when the question asks which encryption layer protects data even if the storage medium is compromised, application-level encryption is the answer.
SIEM (Security Information and Event Management)
A security platform that ingests log data from all network sensors and systems, normalizes formats, applies correlation rules, generates alerts, and provides a searchable historical log repository. The central hub of monitoring infrastructure β€” without a SIEM, detecting cross-source attack patterns is not operationally feasible at enterprise scale. Core functions: log aggregation (collect from firewalls, endpoints, servers, identity providers); normalization (translate vendor-specific formats into a common schema); correlation (identify patterns that span multiple sources and time periods β€” password spraying, lateral movement, data exfiltration); alerting (generate actionable notifications when correlation rules fire). Examples: Splunk, Microsoft Sentinel, IBM QRadar.
Least Privilege
The security principle that every user, application, and service should be granted only the minimum permissions required to perform its specific function β€” nothing more. Directly limits the blast radius of a compromise: an attacker who controls an account can only access what that account is permitted to access. Key application: no standard user should run with administrative privileges on their workstation β€” malware executing in the user context inherits the user's privileges. Without admin rights, malware cannot install drivers, modify security software, or persist across reboots. Correct model: standard account for daily work; temporary elevation for specific administrative tasks only; privileges revert immediately after the task completes.
Configuration Enforcement / Posture Assessment
A network admission control process that evaluates each device's security state before granting access to the network. Four checks: OS patch level (must be current to baseline); EDR version and status (endpoint detection software must be installed, running, and up to date); firewall and EDR configuration (host-based controls must be enabled); machine certificate (cryptographic proof of organizational ownership β€” device is a known, managed asset). Devices that pass all checks receive full network access. Devices that fail are placed in a quarantine VLAN for remediation. After remediation, the device resubmits for assessment.
Quarantine VLAN
A restricted network segment used to isolate non-compliant devices that fail a posture assessment. Provides just enough access for remediation: the Windows Update server, the antivirus update server, and the organization's remediation portal. No access to production systems, shared drives, user data, or the general internet. Once the device completes remediation (installs missing patches, updates EDR signatures, enables the firewall), it resubmits for posture assessment. If the second assessment passes, the device is moved to the production network. The quarantine VLAN is not a punishment β€” it is a staging area that allows the device to meet security requirements without contaminating the production environment.
Decommissioning
The formal process of retiring a device or storage medium from service, ensuring that all sensitive data is unrecoverable before the asset leaves organizational custody. Primarily concerns storage devices (HDDs, SSDs, USB drives, backup tapes). Methods: cryptographic erase (destroy the FDE key β€” all ciphertext becomes permanently unreadable); NIST SP 800-88 purge-level overwrite for HDDs; physical shredding/degaussing for drives containing highly sensitive data (most certain method). Required documentation: asset tag, serial number, sanitization method, technician, date, chain of custody, certificate of destruction from third-party vendors. Improper decommissioning is a data breach β€” deleted or formatted drives are recoverable with free tools.
Cryptographic Erase
A data sanitization method that destroys the encryption key used to protect full-disk-encrypted data, rendering all stored ciphertext permanently unreadable. Effective for SSDs where traditional overwrite methods are unreliable due to wear leveling and hidden over-provisioning areas. Prerequisite: the drive must have been encrypted before data was written (FDE was deployed from day one). Process: generate or store a random encryption key when the drive is initialized; encrypt all data with that key; when decommissioning, destroy the key β€” the ciphertext remains on the drive but is computationally irrecoverable without the key. Operationally significant because it works instantly and avoids the challenges of secure overwrite on NAND flash storage.