Cybersecurity Mitigation Techniques

Defense in Depth

Layered security — no single control is relied upon. If one layer fails, others contain the damage.

Layers (outside → inside):
Physical → Perimeter → Network → Host → Application → Data

Example stack:
- Firewall + IPS (perimeter)
- Network segmentation (network)
- EDR + patching (host)
- Input validation + auth (application)
- Encryption at rest + DLP (data)

Patch Management

Priority order:
1. Critical + actively exploited (CISA KEV list)
2. Critical + internet-facing
3. High severity internal systems
4. Medium / Low — scheduled maintenance

Network Segmentation

Dividing the network into zones to contain breaches and limit lateral movement.

Zones:
- DMZ: Public-facing servers (web, mail, DNS)
- Internal: Corporate workstations
- OT/ICS: Operational technology (air-gapped or tightly controlled)
- Management: Out-of-band admin access only

Implementation:
- VLANs
- Firewalls between segments
- Zero Trust microsegmentation
- SDN (Software-Defined Networking)

Principle of Least Privilege (PoLP)

Users and processes get only the minimum access required to do their job.

How to apply:
- No shared admin accounts
- JIT (Just-in-Time) access for privileged tasks
- Regular access reviews (quarterly)
- Remove access immediately on role change or departure
- Service accounts with scoped, non-interactive permissions only

Multi-Factor Authentication (MFA)

Require two or more factors: something you know + something you have/are.

Strongest → weakest:
Hardware token (FIDO2) > Authenticator app (TOTP) > Push notification > SMS OTP

Phishing-resistant MFA: FIDO2 / WebAuthn (hardware key binds to domain)

Endpoint Protection

EDR (Endpoint Detection & Response):
- Behavioral analysis (not just signatures)
- Incident investigation and forensic timeline
- Automated response (isolate host, kill process)

Additional controls:
- Application allowlisting
- HIPS (Host Intrusion Prevention System)
- USB device control
- Full disk encryption (FDE)
- Secure boot + TPM

Vulnerability Management

Continuous cycle:
Discover → Prioritize → Remediate → Verify → Report

Tools:
- Nessus, Qualys, Rapid7 InsightVM (scanning)
- CVSS scoring (severity)
- CISA KEV catalog (actively exploited CVEs — prioritize these)

Zero Trust Architecture

Never trust, always verify. No implicit trust based on network location.

Principles:
1. Verify every user, device, and request explicitly
2. Use least privilege access
3. Assume breach — segment, log, detect

Components:
- Identity: MFA + conditional access
- Device: compliance checks (MDM/EDR)
- Network: microsegmentation
- Application: per-request authorization
- Data: classification + encryption

Encryption

Backups (3-2-1 Rule)

3 copies of data
2 different storage media types
1 copy offsite (or offline)

+ Test restores regularly
+ Immutable backups (ransomware protection)
+ Air-gapped / offline backup for critical systems

Security Awareness Training

Topics:
- Phishing recognition (simulated campaigns)
- Password hygiene and MFA
- Physical security (tailgating, clean desk)
- Data handling and classification
- Incident reporting procedures

Frequency:
- Annual baseline training
- Simulated phishing monthly
- Role-specific training for privileged users

Incident Response Preparedness

Before an incident:
- IR plan documented and tested (tabletop exercises)
- Playbooks for common scenarios (ransomware, phishing, DDoS)
- IR retainer (3rd party IR firm on standby)
- Log retention and SIEM configured
- Out-of-band communication channel

Detection tooling:
- SIEM: centralized log analysis
- SOAR: automated playbook execution
- Honeypots / honeytokens: early warning tripwires

Key Security Controls Quick Reference