Incident prevention

Just a few notes. Because incident response is a cyclical process, preparation and prevention are considered before and after an incident. Before to ensure something does not happen, and after to ensure something doesn’t happen again.

Risk assessments

Regular risk assessments are a universal method of incident prevention. A risk matrix can help visualise and match risks with priorities. Risk assessments can identify critical assets, allowing people to more effectively prioritise monitoring and response activities for those resources.

The key to an effective impact assessment starts with two key questions:

  • What is at risk when an incident occurs?

  • How is impact measured?

The majority or organisations view reputational impact as the most important. Other areas to measure include operational impact and legal impact. If an organisation is regulated, legal impact, policy impact, and regulatory impact can be measured as separate areas.

Host security

Continuously monitor the security of all hosts, by enabling auditing and logging all security events.

Approach host security with the principle of least privilege – privileges are to be based solely on the host’s authorised tasks, so hosts are given the lowest privileges possible to perform their duties.

Network security

Network security is to be approached similarly to host security – in which the network perimeter denies all activity that isn’t expressly permitted.

Malware prevention

Deploy AV software across all hosts, application servers, and application clients. If possible, use software that is designed to detect and stop malware, preventing its spread across a network, instead of the reactive approach of just preventing the initial installment by deploying it at a host level.

For additional security, configure a firewall at a network level to block inbound and outbound connections from or to known malicious domains and IP addresses. This reduces the likelihood of an incident and prevents malware from being installed.

User awareness training

In an ideal situation, all users are aware of security policies and procedures about the acceptable use of networks, systems, and applications. At the end of an incident response process, the lessons learned can be shared with all users so everyone can recognise how their own actions can affect the organisation.

And all IT staff is trained to maintain security standards across all networks, systems, and applications.