T 3.116 Lack of time synchronisation during log analysis

If the time is not synchronised on all IT systems within an information system, the logged data may be incomparable, because the different time stamps of events do not have any common basis. For example, correlating a violation regarding a security gateway (firewall) with unsuccessful login attempts may fail. This risk is particularly applicable if centralised logging is used. Without a common time basis, messages of different IT systems cannot be correlated.

The time and date settings for a time stamp function very often depend on regional settings. For example, the date is written in the style of MM/DD/YYYY (month/day/year, e.g. (05/09/2009) in the Anglo-Saxon region. This may cause misinterpretations within the framework of automatic analysis, for example as by an IT early-warning system.

Furthermore, often the year is not specified in the log files, first and foremost with Unix systems. This is particularly problematic regarding the validity of the data if events further back in time must be considered and if these cannot be sorted chronologically.

Examples

• Within an information system, a centralised logging server is commissioned. The entire network is equipped with a time interval by an internal NTP server within the LAN. The information system is subjected to several attacks, within the framework of which the NTP server is compromised. In this way, the time distributed by the NTP server is changed so that the remainder of the IT systems disposes of a different time when compared to the logging server. As a consequence, the logged data of the IT systems is inconsistent and cannot be compared with each other.
• A German company integrates a new security gateway (firewall) developed and manufactured outside of Europe into its information system. Since all IT systems and applications within the company are monitored by means of an IT early-warning system, this security gateway is also integrated. The setting that all logged data with a date differing from the current data must trigger an alarm is enabled in the IT early-warning system. This way, possible manipulations of the logged data is to be detected. The early-warning system interprets the date in the form DD/MM/YY (day/month/year). However, the log files of the new security gateway provide the date information in the format MM/DD/YY (month/day/year). As a consequence, the security gateway already produces a large amount of false alarms the first day it is integrated into the IT early-warning system.