CISA (The Cybersecurity and Infrastructure Security Agency) in the US have developed a document that specifically focusses on how the guidance for timing and synchronisation for a network operators, CIO’s (Chief Information Officers), or CISOs (Chief Information Security Officers) perspective. The goal of the document is to highlight the importance of timing and sync within enterprise networks and systems.
It's probably at this stage you are wondering why it's important to have accurate time and sync throughout your network, but I assure you it will all become clear.
Time and sync is a critical element to many network functions from network security to monitoring analytics and much more, yet many users of time services don’t know much about what they are using or where the time comes from and that’s a problem! Let's look at a couple of Scenarios where knowing more about your time and sync would have prevented some unfortunate and preventable problems. A couple of examples cited by the document are as follows:
REAL WORLD EVENT 1
GPS receiver firmware updates were not applied prior to, and in preparation of, the April 6, 2019, GPS Week Number Rollover event. As a result, the New York City Wireless Network (NYCWiN), which controls traffic lights and other key functions within the city, was adversely impacted for 11 days in April 2019. A formal report concluded the outage could have been prevented had firmware updates been conducted in advance of the rollover event.
REAL WORLD EVENT 2
As a result of the April 6, 2019, GPS Week Number Rollover, a number of Boeing Dreamliner aircraft were grounded in China because of a malfunction with their GPS equipment. For most airlines, the rollover occurred without incident, but older devices onboard some aircraft displayed an almost 20-year date discrepancy.8 As many as 15 flights were delayed or canceled as they awaited GPS software updates.
THE NEXT EVENT ?
Your IT network has been attacked, causing financial losses and damaging the reputation of your company. Understanding how the attack took place will assist in preventing future incidents and potentially identifying the attacker. According to Federal Bureau of Investigation (FBI) cyber investigators, timestamps are a crucial artifact when performing digital forensics analysis. When comparing events, it can be difficult to determine what activity caused another when timestamps are incorrect. When investigating computer intrusions, the timing associated with malware artifacts — being written to disk or in memory— and any corresponding network traffic is critical because it can make the difference between correlating the network activity of the malicious attack and introducing ambiguity from other causes. Determination of activity related to the user versus a malicious actor is heavily dependent upon the accuracy and consistency of timestamps across data sets. While timing itself is important, it is equally important to understand the time offsets or time zones of the timestamp data. Only with accurate timestamps and properly correlated time offsets can accurate timelines of computer intrusions be retrieved.
Full CISA document can be found here
In order to mitigate or enhance you environment it's recommended that you take a few simple steps which we will be looking into over the coming series of articles. 1: Know your System 2: Know your Timing source(s) 3: Know your Users 4: Regularly update your system 5: Document and test your system and sources 6: Diversify your timing sources 7: Detect and address anomalies in your timing sources The aim of this miniseries is to break down the recommended steps to take by the CISA but also to understand how different timing solutions can be implemented and some practical guidance for the management of time in enterprise systems.
It is a little know fact that nearly all organisations rely on accurate time to sustain their daily network operations. Some industries are more aware of this than others, such as investment banking and 5G where it is imperative to have accurate timestamps and sync; think about trade timestamps, event monitoring, database timestamps and the list goes on.
“ACCURATE SYNCHRONIZED TIME IS CRITICAL TO MANY NETWORK FUNCTIONS AND TO NETWORK SECURITY”
“The ability of an organization’s time infrastructure to deliver accurate and stable time while protecting the availability and integrity of time depends on the organization’s function and requirements” Over the next few days we will be releasing follow-up articles which will each cover 1 of the 7 steps listed above; starting tomorrow with: Know Your System.
Comments