The clocks of all relevant information processing systems within an organisation or security domain must be synchronized to a single reference time source. System clock synchronization is important, especially when evidencing events as part of an investigation or legal proceeding as it is often impossible or very difficult to prove “cause & effect” if clocks are not synchronized correctly. Being able to rely upon a pinpoint accurate synchronize time across an organisation’s information systems is of paramount importance not only for the ongoing operation of a company’s commercial systems, but also in the event of an ICT-related incident. Accurate time representation gives an organisation the ability to provide itself and any law enforcement or regulatory bodies with a reliable account of how information has been managed, along with the actions of its employees and vendors.All systems should be configured with the same time and date; otherwise, if an incident occurs and we want to carry out a traceability test of what has happened in the different systems involved, it can be difficult if each one has a different configuration. Therefore, the ideal scenario would be that systems have a synchronized time, and this can be achieved in an automated manner with time servers (technically known as NTP servers, where “NTP” stands for an internet protocol for the synchronization of systems clocks).
The clocks of information processing systems used by the organization should be synchronized to approved time sources.
To enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
ISO 27002 Implementation Guidance
External and internal requirements for time representation, reliable synchronization and accuracy should be documented and implemented. Such requirements can be from legal, statutory, regulatory, contractual, standards and internal monitoring needs. A standard reference time for use within the organization should be defined and considered for all systems, including building management systems, entry and exit systems and others that can be used to aid investigations. A clock linked to a radio time broadcast from a national atomic clock or global positioning system (GPS) should be used as the reference clock for logging systems; a consistent, trusted date and time source to ensure accurate time-stamps. Protocols such as network time protocol (NTP) or precision time protocol (PTP) should be used to keep all networked systems in synchronization with a reference clock. The organization can use two external time sources at the same time in order to improve the reliability of external clocks, and appropriately manage any variance. Clock synchronization can be difficult when using multiple cloud services or when using both cloud and on-premises services. In this case, the clock of each service should be monitored and the difference recorded in order to mitigate risks arising from discrepancies.
The correct setting of computer clocks is important to ensure the accuracy of event logs, which can be required for investigations or as evidence in legal and disciplinary cases. Inaccurate audit logs can hinder such investigations and damage the credibility of such evidence.
Organisations is to establish a standard reference time that can be used across all commercial, logistical and maintenance-based systems as a trusted date and time source for all the organisation’s needs. Organisations should:
- Draft internal and external requirements for three aspects of clock synchronisation:
- Time representation
- Reliable synchronisation
When addressing said requirements, organisations should address their needs from 6 separate angles:
- Internal monitoring
Make use of a radio time broadcast linked to an atomic clock as a singular reference point, alongside the implementation of key protocols (NTP, PTP) to ensure adherence across the network. Consider managing two separate time sources to improve redundancy.
Distributed System is a collection of computers connected via the high speed communication network. In the distributed system, the hardware and software components communicate and coordinate their actions by message passing. Each node in distributed systems can share their resources with other nodes. So, there is need of proper allocation of resources to preserve the state of resources and help coordinate between the several processes. To resolve such conflicts, synchronization is used. Synchronization in distributed systems is achieved via clocks. The physical clocks are used to adjust the time of nodes.Each node in the system can share its local time with other nodes in the system. The time is set based on UTC (Universal Time Coordination). UTC is used as a reference time clock for the nodes in the system. The clock synchronization can be achieved by 2 ways: External and Internal Clock Synchronization.
- External clock synchronization is the one in which an external reference clock is present. It is used as a reference and the nodes in the system can set and adjust their time accordingly.
- Internal clock synchronization is the one in which each node shares its time with other nodes and all the nodes set and adjust their times accordingly.
There are 2 types of clock synchronization algorithms: Centralized and Distributed.
- Centralized is the one in which a time server is used as a reference. The single time server propagates its time to the nodes and all the nodes adjust the time accordingly. It is dependent on single time server so if that node fails, the whole system will lose synchronization. Examples of centralized are- Berkeley Algorithm, Passive Time Server, Active Time Server etc.
- Distributed is the one in which there is no centralized time server present. Instead the nodes adjust their time by using their local time and then, taking the average of the differences of time with other nodes. Distributed algorithms overcome the issue of centralized algorithms like the scalability and single point failure. Examples of Distributed algorithms are – Global Averaging Algorithm, Localized Averaging Algorithm, NTP (Network time protocol) etc.
Network Time Protocol (NTP) is an internet protocol used to synchronize with computer clock time sources in a network.Network Time Protocol (NTP) was developed to co-ordinate the time of the Internet and networked computers. It belongs to and is one of the parts of the TCP/IP suite. The term NTP applies to both the protocol and the client-server programs that run on computers. NTP implements a hierarchical system of time references. The hierarchy level, referred to as stratum, represents the distance of a time synchronization server from a source reference clock. The lower the stratum, the closer the reference clock. Stratum 1 devices are connected directly to a hardware clock, such as a GPS or radio time source.The following three steps are involved in the NTP time synchronization process:
- The NTP client initiates a time-request exchange with the NTP server.
- The client is then able to calculate the link delay and its local offset and adjust its local clock to match the clock at the server’s computer.
- As a rule, six exchanges over a period of about five to 10 minutes are required to initially set the clock.
Once synchronized, the client updates the clock about once every 10 minutes, usually requiring only a single message exchange, in addition to client-server synchronization.
Precision Time Protocol (PTP) is a protocol that promotes the synchronization of clocks throughout a computer network. This protocol is used to synchronize clocks of different types of devices. PTP is a protocol that works for seamless communication between different devices. It uses a master-slave system of time resources and provides synchronization. This system consists of one or more communication devices and a single network connection provided by a grand master device. This grand master is responsible for the root timing reference. The grand master transmits synchronized information to the devices residing in the communication medium. Some of the features of PTP are –
- It has an alternate time-scale functionality.
- It uses a Grand Master clock to synchronize the communication.
- It works on master-slave architecture.
- It makes the path of communication traceable.