Easy with all that about the young people
. I'm the youngest in my office and I get stuck with cleaning up the computers of the people 10+ years older than me.
But yeah, it's amazing how badly some people can screw up a computer. Last one I did was covered in grease and managed to have 2 root kits, the FBI ransomware, and a handful of trojans/general malware.. Only took about 4 days to get it cleaned up. Needless to say the user of that machine is no longer with us even though it's not for reasons related to her computer..
Yea, for those working in the IT arena.. A few things one can do if corporate will pay for it..
1) SNORT (or other commercially available) IDS/IPS sitting off the outer router which hopefully also has a IP block list and one has a qualified individual who can create SNORT or other IDS/IPS signatures on the fly based on current threats. To include internal computers phoning home so to speak.. This is also presuming one has a DMZ which is between the firewall and Outer Router.. (where the external DNS, Web and other publicly accessible information is)
2) DNS Black Hole list..
3) An IP block list
5) Then a full application layer (deep packet inspection) Firewall with someone who can monitor and decipher anomalies..
6) And then a inner router (with another SNORT or other IDS)..
7) And then other IDS tactically located at core switches/routers the provide services to different buildings or locations..
This is a short list.. And just the basics.. But kinda get the jest..
The most important thing is to ensure someone is not only able to spend the time to research vulnerabilities but also to create definitions and is able to monitor..
Also, important to utilize public provided System Technical Implementation Guides provided at STIGs Master List (A to Z)
Note: not all are publicly accessible but most are and for those in the business can use those to help secure their networks.
And to use a product like this to ensure all systems are patched and provide a certain amout of continuous monitoring..
Or Vulnerability Management - Assessment - Endpoint Protection - IT Security Software | eEye Digital Security
This information is open source and there are are other options out there.. Bottom line, with a properly tuned IDS/IPS, vulnerability/patch management program, and a full time human(s) watching it.. (although not perfect), does a pretty good job of mitigation..
But, to be truthful in Computer Network Defense (CND), the other guys or if you wish the bad guys keep on attacking and only have to get it right once whereas the CND peeps have to be accurate 100% of the time.. That is not happening.. No one gets it right 100% of the time.. They (the other guys and state sponsored actors) are out there and Stealing your and mine, personal, corporate, government, and military proprietary information..
Phishing and other attack vectors - another story.. LOL..
Not to be paranoid or anything, but situational awareness can be your friend to include just personal use of the net..