Trusted Time

Previous page
Table of content
Next page
I l @ ve RuBoard

When it comes to reconstructing what has been happening on a system, time is very important. The ability to construct a consistent linear time line is paramount to understanding the sequence of events that occurred on the system. If the time on the system is inconsistent, it increases the complexity of this analysis.

Therefore, if a hacker changes the time of the system, or timestamps in logs or timestamps of files, he can create a great barrier to the system administrators in their attempts to track down the hacker at work. Inconsistent time can be enough to prevent the prosecution of an incident.

System Clock

System time is critical to the appropriate running and monitoring of a system. All time information is retrieved from the system clock. Altering the system clock will alter the perception of time throughout the entire system. The date command can be used to change the system time. This command is generally restricted so that only the superuser can execute it. All processes that can change the system clock should be audited and any changes to the system time should be logged to the system log file.

Some systems are more restrictive on changing the time. The restrictions may be different on setting the clock backwards than forwards. Changing the clock might be restricted to only during the start-up process. The system may not allow the clock to be changed at all if it is using a trusted time source.

Network Time Protocol

Network Time Protocol (NTP) is a method of getting the time from an external source. It is used to synchronize the system clocks on a number of systems.

Traditionally, NTP is implemented only when the synchronization of system clocks is very important. However, it is usually implemented without enough security to keep a compromised time service from affecting the systems that are dependent on that service. A hacker can compromise the system time by compromising the system that is the source of the time for the other systems or by compromising the communication between the systems. This is especially true when your NTP is obtained from an unsecured host on the Internet.

If system synchronization is critical to the running of your business, then the time sources must be extremely well-secured and the NTP data communication must be secured.

Time Server

A time server is a system which supplies a consistent and accurate time to other systems with NTP. This system should have a secure time source. Common time sources include GPS, the global positioning system, and the National Institute of Standards radio broadcast from Colorado Springs. These sources use atomic clocks to maintain correct time.

It is suggested that the time server and the log server should be hosted on the same system. This configuration will aid in maintaining consistent time within the different systems logs. This will help facilitate correlation of events on these different systems. As far as prosecution goes, accurate time for evidence collection is critical.

I l @ ve RuBoard

Previous page
Table of content
Next page
Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210
Authors: Donald L. Pipkin
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Systematic Software Testing (Artech House Computer Library)
Introduction to 80x86 Assembly Language and Computer Architecture
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
.NET System Management Services
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy