When you find evidence of a command-and-control channel in your network, it will scare the shopt out of you. It's like that sinking feeling when you see the police cruiser light up in your rear view mirror, but ten-fold.

And the quality of malware lately has gotten very, very good. Once upon a time we could rely on the relative sloppiness and noise; malware practically begged for attention. Those halcyon days are long gone...

Indeed. What made matters worse, as I understand it, was the transition of malware from a creation of script kiddies re-using the same VB code to professional thieves and then to intrusive government and government paid thieves. With the government's ability to access your ISP servers and data farms and compromise hardware makers and some open source projects not even Linux is as secure as it used to be.

I still don't worry about script kiddies or professional thieves, who are just better trained script kiddies. But, with rogue agencies like the FBI and the NSA snooping and data collecting (with PATRIOT Act approval by both political parties), it doesn't seem to matter if they can sneak in through your ports or not, since all they have to do is threaten your ISP or bank and they get all your personal info anyway. And of what use is an Internet isolated computer if the security is compromised by the act of installing an OS or software that is already bugged. If the computer has a wifi the air gap is breached and the computer might as well be connected to the Internet.

..
That's why we run Ethereal, uh sorry, Wireshark.