1) Know your network. Inventory all devices on your network with an asset recovery tool. Record network addresses, machine names, the purpose of each device and person responsible for it. Encrypt this information. Likewise, devise an encrypted list of software authorized to run on your network. Periodically test your software inventory tool by deploying new software to see when it's detected. Note the delay; that's a vulnerable time.

2) Test and verify. Document and test security settings on system images before deploying laptops, workstations and servers. Sample systems once a month to see that settings are correct. Store master images on secured servers or offline machines.

3) Seize control. At network connection points, implement filters to allow use of only those ports and protocols with a documented business need. Use two-factor authentication and encrypted sessions on all network devices. Require people logging in remotely to use two-factor authentication, too.

4) Be suspicious. Set audit logs to record dates, time stamps and source and destination addresses for each piece of software. Devise profiles of common activity and tune logs to look for anomalies. Deploy firewalls to look for common Web attacks. Test source code for malware and backdoors before deploying.

5) Watch your back. Run vulnerability scans at least weekly (preferably daily). Compare sequential scans to ensure previous problems were addressed. Install critical patches within a week. Report daily on locked-out and disabled accounts, as well as accounts with passwords set to never expire or with passwords exceeding maximum age. Get explanations for these accounts. Check machines daily and push out updates for malware protection.

For more details about these and the rest of the guidelines as well as an explanation of how attackers exploit the lack of each control, visit www.gilligangroupinc.com.

Do you Tweet? Follow me on twitter @knash99. Follow everything from CIO Magazine @CIOMagazine.