Marc Spitler is surprised.

The co-author of Verizon's annual data breach investigations report is looking at the age of vulnerabilities exploited by attackers in 2014, and few if any come from 2014 - or even the two years prior.

Instead, the largest number of successful exploits in 2014 used vulnerabilities identified - and patched - in 2007.

"I was actually very surprised to see the diversity of years in the output and just seeing how prevalent items from eight years ago are," Spitler tells Information Age.

In fact, attackers managed to find 30 vulnerabilities from 1999 that still worked.

"Apparently hackers really do still party like it's 1999," Verizon states in its report.

"Just because a CVE [common vulnerability and exposure] gets old doesn't mean it goes out of style with the exploit crowd."

Although he can see these numbers, Spitler is unsure of their root cause: that is, why or how systems can remain connected to the internet over a period of up to 16 years or more and remain vulnerable to patched problems.

"We unfortunately don't know why those devices are still hanging out there like that," he said.

"We know that they weren't patched but we don't necessarily know what the breakdown was that allowed the device to sit out there and be vulnerable for that amount of time."

For more recently discovered vulnerabilities, attackers are being aided by the growing window of time it is taking vendors to create and release patches, according to a separate report by Symantec.

Last year was characterised by an increase in exploitation of so-called zero-day vulnerabilities - which are unleashed without responsible disclosure.

"In 2014, it took 204 days, 22 days and 53 days for vendors to provide a patch for the top three most exploited zero-day vulnerabilities," Symantec said.

"By comparison, the average time for a patch to be issued in 2013 was only four days."

IoT on the radar

Three threat analysis reports released on the same day by Verizon, Symantec and Dell also examine what threats might target the Internet of Things (IoT).

Verizon recommends IoT adopters keep an eye on the space while noting that no one is really trying to exploit the web of connected devices that make up the Internet of Things.

"The question we need to ask about the IoT is what is going to be the motivation for any sort of attack on it?" Spitler said.

"Right now the answer is that we really haven't seen a threat there. There just doesn't seem to be any sort of enticement for an adversary to attack this in earnest."

Rather than attack the individual machines transmitting tiny amounts of data back to base - for example, smart meters - Spitler believed it was more likely that attackers would focus on where that data ended up.

"A lot of times I think the data is going to be more valuable to someone in aggregate [form] so it might be that some of the more common assets like databases and servers will ultimately be targeted," he said.

"They might be being fed information from sensors or connected devices but we just haven't really seen anything going after the connected devices themselves yet."

Symantec believed attacks on distributed internet infrastructure "can be seen as harbingers of what is to come in the larger IoT space".

"The internet is made up of hubs, switches and routers that move information from place to place," Symantec said.

"These devices, from retail home routers to form-factor network-attached storage devices, are at the very least close cousins in the emerging IoT device space.

"They have processing, storage, and internet connectivity and in many ways function just like more strictly defined IoT devices."

Meanwhile, Dell saw the operating systems used by vehicles being increasingly targeted. Connected cars are seen as another use case for IoT, and Dell said it was "inevitable" that they would be tested by hackers.