Just curious as to what the AO members do to try to make sure their networks are not the 'low hanging fruit', as it were.

Some things I do [externally]:

Change default ports for services like SSH, and key based authentication... Also user allow lists.
Make sure that only services that are absolutely necessary are running.
nmap scans against our IP range to look for anything open that shouldn't be.
XSS/SQL injection testing against our webservers.
Keep patches up to date. [of course]

These are all pretty basic. I am looking for other ideas to harden our perimeter. Feel free to offer suggestions for securing the internal network as well. Don't want the 'Skittle' type network.