S 5.172 Secure time synchronisation for centralised logging

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

During logging, occurred events must be assigned a current time in order to allow for later analysis. It must be ensured that all IT systems use the same time base. Normally, a central Network Time Server is used so that all systems have the same time even in a large information system. This server provides the central time interval using the Network Time Protocol (NTP), for example (see S 4.227 Use of a local NTP server for time synchronisation). Any further systems within the information system can synchronise using this external time interval.

Disturbances of the time synchronisation

A disturbance of the time synchronisation may cause problems in the field of centralised logging. For example, the occurrence of an error can no longer be assigned to the correct time. The erroneous time base may also change the sequence of messages so that an incorrect sequence of the logged data is displayed within the framework of the analysis.

Another problem is caused if an information system uses the time as a basis in order to check whether contractual agreements regarding the Service Level Agreements (SLAs) are complied with. An erroneous or missing time synchronisation of the IT systems or the central logging system may cause that logging cannot be used for the retention of evidence. For this reason, it must be ensured that all log files are equipped with the current data and time. A uniform representation of the date and time settings in the log file must be ensured here additionally. If the logged data is analysed automatically, all log files should contain a uniform date and time format in order to avoid any misunderstandings during analysis.

In order to ensure that all involved IT systems are always provided with the correct time during centralised logging in an information system with increased protection requirements, a multi-tier time interval concept can be used. In this, the system time is also provided by means of a DCF radio module, along with the NTP service.

Review questions:

• Is the system time of all IT systems in the information system synchronised in order to be able to detect attacks to IT systems and applications and their malfunctions?
• Is it ensured that the date and time formats of the log files are uniform?