Cisco has been working to draw attention to the hidden security risks organizations face by not properly maintaining their aging infrastructure and patching vulnerable systems. Threat actors, including ransomware operators, are using vulnerable Internet infrastructure as a foothold to launch their campaigns. The trends lead us to believe we should expect to see more of this activity in the future — with widespread attacks that target not only traditional servers and endpoints, but also the network itself.  This future activity will bring with it significant consequences affecting not only enterprises, but also entire industries.

Many of the security problems in aging infrastructure are not hard to foresee. Systems that were designed, built and deployed in decades past didn’t anticipate the hostile security environment of today.   Until now, very few have thought about securing infrastructure because they didn’t think adversaries would target these systems and devices, or they had ‘higher priorities’ to fix. This must change.

There is another, even more basic issue: Organizations around the globe are at heightened risk of attack simply because they have not managed this infrastructure, often for several years, entirely missing opportunities to fix known vulnerabilities in their infrastructure.

To understand the scope of this problem, we examined a sample set of Cisco devices deployed around the globe to determine the ages of known vulnerabilities running on fundamental infrastructure. Our findings are discussed in detail in the newly released Cisco 2016 Midyear Cybersecurity Report.

Our analysis was built on the foundation of research about aging infrastructure that we conducted in 2015 and presented in our previous security report [link]. In that first study, we found that 92 percent of the 115,000 Cisco devices sampled on the Internet had known vulnerabilities in the software they were running.

Here are few key highlights from our latest research:

Twenty-three percent of the devices we examined had vulnerabilities dating back to 2011, and nearly 16 percent had vulnerabilities that were first published in 2009. In addition, each device was running 28 known vulnerabilities, on average.


In addition to the infrastructure built with Cisco products, we also looked at common server software packages for further insights.  Organizations using the web-server software, Apache, and secure remote communications software, OpenSSH, showed similarly worrying trends.  They have been running known vulnerabilities for an average of 3.9 years and having an average of nearly 16  known vulnerabilities for these software products.


In summary, our analysis of Cisco products, Apache, and OpenSSH found that the internet ecosystem of enterprises and service providers are not diligent about addressing known vulnerabilities in either group of products. With vulnerabilities hanging around for about 5 years, on average, the operational space for adversaries to either directly attack the vulnerable organizations, or us it as a launching pad to attack others extremely broad.


The reasons organizations avoid upgrading their network infrastructure are understandable. Updates are inconvenient and time-consuming. They can be very resource-intensive. And every minute that some piece of critical infrastructure is offline is time when a technology-enabled business is not running on full cylinders — and thus, potentially losing money.

However, every moment that an organization chooses to operate with vulnerable infrastructure places it at even greater risk for a crippling breach. Infrastructure vulnerabilities provide adversaries with both time and space to operate, allowing them to move laterally across the network so they can lay the groundwork for campaigns that will deliver maximum impact.

There is another risk of procrastination for organizations to consider, as well: Businesses that have fragile and insecure infrastructure are not likely to succeed in the emerging next-generation digital economy, where security is an essential component for digital transformation.

Businesses must assess the overall strength and cyber-resilience of their deployed infrastructure and systems. This process likely will be eye-opening, but it’s a necessary reality check. Organizations that proactively improve their security posture will be better positioned to meet today’s threats and to prepare for tomorrow’s challenges — and opportunities.

Download the Cisco 2016 Midyear Cybersecurity Report to read more about our findings.


Anthony Grieco

SVP & Chief Security & Trust Officer

Security and Trust Organization