Almost everything mentioned in this string is reactive in nature. IMHO, in order to effectively combat the threats and vulnerabilities of the future, we (as a security community) need to be more proactive. Yes, blocking ports and patching machines is important, but the zero-day exploits of the future may not allow us to do that. With the potential for the exploit to use emerging practices, such as embedded polymorphic coding engines (the worm, virus, etc. will not look the same way twice), the use of anomaly or behavioral-based protective measures need to be considered. Again, my opinion, signature-based protective measures will be obsolete in a couple of years, including current AV products.
I'm not endorsing any products here, just extending my experience. During the Blaster outbreak, I had laptops installed with a variety of firewall and behavioral/anomaly analysis software, Sygate, ZoneAlarm, Symantec, Cisco Security Agent (formerly Okena), and ISS Desktop Protector (formerly BlackICE). Although all of the products could have prevented the infection, due to business requirements within the company, certain ports had to be open to facilitate business communication (e.g., 135) - only the behavioral-based products prevented the infection, Cisco and ISS. The version of the products used were produced in March 2003, well before the MSRPC exploit was revealed by MS. No updates or changes to the installations were made. The products blocked the worm based on its behavior and what it was attempting to do. After doing some research, I found out these products were pretty successful in blocking the most (if not all) of the problematic infections over the past year or so. Although some of these products can be pricey, how much does it cost you or your company to address these problems in the first 24-48 hours? Based on the numbers I have seen, one major infection would probably cover the cost of these products for the first year or two...
I was pretty impressed with the performance of these products - I just wanted to pass it along as an ounce of preventive medicine...
~aberration~
