Is the clock on every computer system in your organization set to the correct time? If your answer is no, you're not alone. According to a 2007 study by Florian Buchholz and Brett Tjaden, both professors at James Madison University in the US, more than a quarter of the Web servers on the Internet have their clocks off by more than 10 seconds. Making sure that computers are set with the correct time is one of those seemingly petty technical things that can unfortunately have big, negative consequences if not done properly. That's because assumptions about time and its flow permeate modern computer systems-including software, hardware and networking. This is true of desktop systems, servers, mobile devices and even embedded systems like HVAC, alarm systems and electronic doorknobs.
Buchholz and Tjaden studied Web servers because they are particularly amenable to analysis: Every time you request a page from a modern Web server, the server sends back an HTTP header called "date" which indicates the time-of-day for the server's clock. But unless your organization has made an effort to keep time in a precise and accurate way, the chances are very good that you're doing a bad job.
Does Your Server Have the Time?
Having the correct time is important for security because system clocks are used for a lot more than just displaying the current time on your organization's homepage. Web servers write the time of every page downloaded into their log files: If the time-of-day clock is wrong, the log files are also wrong. This can be a problem if you are trying to figure out an attack that originated inside your organization. You may want to correlate file accesses with whether or not a suspect was seen at a desk, in a meeting or was known to be out of the office. But it's also important for attacks that originate outside your organization. That's because many attackers will mount their attacks from dynamically assigned IP addresses; if your time is off by a few minutes (or more), it may be nearly impossible to figure out where the attack came from or who was responsible.
Log files are just the beginning. Every time a file is modified, accessed or has its metadata changed, modern computer systems will update the file's so-called "MAC times." Forensic tools like EnCase, FTK and Sleuth Kit have the ability to read all of the MAC times within a computer system and sort them to create a single time line. Incident response teams will typically use these time lines to figure out which files an intruder browsed or modified.
Because clocks are so often set incorrectly, some forensic tools will allow the security practitioner to enter a time offset or "delta" when a log file is constructed. But these tools assume that a computer's time offset is constant-that if the computer was 30 minutes slow today, it was also 30 minutes slow three months ago. Unfortunately, that assumption isn't valid.