One common opportunity for attackers is the lack of patching by organizations and end users. Cisco looked at 103,121 Cisco devices connected to the internet and found that devices were running known vulnerabilities for an average of five years.
Looking at software used across three million servers, Cisco found that the Apache webserver and OpenSSH remote connectivity applications were also running with vulnerabilities that had an average age of five years.
“Some people just run systems, and if they do what they’re supposed to do, they just don’t care about being out of date,” Jason Brvenik, principal engineer in the security business group at Cisco said. “People don’t care because they’re not concerned; rather they don’t care because they are not aware.”