We've decided that the results/recommendations coming out of most of the Internal Security Reviews we do can be summarised in three lines.
a) Patch everything. Not just Windows - everything.
b) Change default credentials. Don't leave your main router with creds of admin/admin
c) Get rid of clear text protocols. Ditch telnet for SSH and ftp for sftp
It doesn't require Ninjas, Red Teams or Zero days to compromise most organisations, given access to their internal networks. In fact why bother with anything fancy, when the most basic of techniques uncovers such glaring faults.