8. Preventing Threats

Basic Threat Reduction Steps
There is no single control that stops every threat, so security is built by combining several basic protections.

Keep systems and applications updated. Vendors release patches to fix bugs and security flaws. If patches are not applied, known vulnerabilities remain exploitable. Patch management is the process of making sure updates are applied in time.

Remove or disable unnecessary services and protocols. If a service is not needed, it should not be running. Unused services increase attack surface. A service that is turned off cannot be exploited on that system.

Use IDS and IPS.
An IDS (Intrusion Detection System) monitors activity and alerts on suspicious behavior.
An IPS (Intrusion Prevention System) is placed inline with traffic and can block malicious traffic before it reaches the target. IPS is an active control, while IDS is mainly for detection and alerting.

Use anti-malware / antivirus. These tools detect and block malicious software such as viruses, ransomware, spyware, and other malware. Modern anti-malware may use signatures, behavior analysis, pattern recognition, and machine learning. Many endpoint security tools also combine antivirus with firewall and IDS/IPS features.

Use firewalls. Firewalls filter traffic based on rules. They can protect an entire network or a single host. Traditional firewalls mainly filter traffic by IP address, port, and protocol. Newer firewalls add more features such as intrusion prevention, proxy functions, identity-based control, application awareness, and other integrated threat protections.

Perform regular scans. Vulnerability scans and port scans help find open ports, weak settings, missing patches, and exposed services. This helps identify weaknesses before attackers use them.

Main Idea
Reduce threats by patching systems, disabling unnecessary services, using IDS/IPS, anti-malware, firewalls, and regular scanning.