Daylight Savings Time Ends, Time To.....?
Check the batteries in your smoke detectors.
Write to your congressman about why the government should not be messing with your body clock.
Perform your semiannual network time synchronization check.
Well, we all know that the two time changes each year are a good time to check your smoke detector batteries, and, if you feel about your body clock like I do mine, 2 is a good answer. I would like to propose that we in the compliance/security world should also use these occasions to verify our clock synchronization.
We all must face the fact that we live in a world where security breaches have sadly become a way of life. Many of us at one point or another will be involved in a security investigation. Having the clocks on all of your systems in sync is important to any such investigation.
Consider a couple of example scenarios:
You experience a theft of a few laptops from your business overnight. Your security cameras show poor images of a few individuals in and out, and you decide to correlate these images with records from your badge access log.
A bank notifies you that they suspect that customer credit card data was stolen from your server. Access logs on the server confirm suspicious access, so you decide to check your network access devices to find the source of entry.
In both of the above scenarios, it is critical to have the clocks on all of the systems synchronized. Without this, it is impossible to be certain if and how events recorded by various systems and devices are connected.
You may be a good enough detective to connect the dots, but even if you can, you fail a test critical to official investigations and prosecutions - non-repudiation. According to Wikipedia, "Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract." In simpler terms, establishing non-repudiation means that an accused party cannot successfully challenge the validity of evidence of an action.
If you have multiple logs each showing part of a suspicious transaction, you cannot establish non-repudiation without a common time stamp connecting the parts of the events. Even if you can piece together the different logs logically, for example by showing that one system is 6 hours behind the other, you could not prove this without a consistent time stamp in a way acceptable to most courts.
Almost every server and network device provides a means of synchronizing the local clock with a common time source, either a designated server within a network, or an outside source. This is usually done using Network Time Protocol (NTP). There are a wide variety of standardized time sources freely available on the Internet. It is just a matter of setting up NTP on each server/device, and checking each periodically to make sure that synchronization is working properly.
So, let's all agree to designate the twice yearly time changes as the time to verify time synchronization all of our devices, or at least until my congressman returns my email!