Network Time Protocol (NTP) is a networking protocol used for clock synchronization of networked computing devices. While it is one of the oldest networking protocols—dating back to 1985—it remains a cornerstone of modern computing synchronization, and it is crucial for maintaining the proper operation and security of computing devices.
NTP is intended to synchronize all subscribing computers to within a few milliseconds of Coordinated Universal Time (UTC) by querying a master server for the current time and then resetting its own local clock to match. NTP utilizes specific algorithms to properly coordinate time between hosting time servers and adjust local time calibrations with variables like network latency.
NTP as a solution is most commonly a client-server model, but it can also be implemented using peer-to-peer (p2P) technology, and even broadcasting and multicasting, to ensure all computing devices are operating with the same time. If any devices are out of synchronization, then environments may not only run into operational challenges, but also introduce unnecessary cybersecurity risk.
Let’s consider the following example. An application generates a log file during normal operations. Within it, each event record has a time date stamp corresponding to the entry. If the asset is not time-synchronized with other resources in the environment, the deviations in log time entries could be a few seconds, hours, or even days. In worst-case scenarios, the year could even be incorrect, either because it was improperly set, or the system was unable to maintain the proper time when it was last fully powered off. This is similar to your stove or microwave losing power and the clock resetting after a power outage. What makes this problem even more troubling is drift. Modern computer clocks are not perfect—they will slowly deviate from the proper time by seconds, or even minutes, per month. If the system has been running for a long time without the clock being reset, the deviations can be compounded.
When multiple devices are in usage, without time synchronization, each resource will think the correct time is different. If you try to compare logs between resources, none of the timestamps line up. If the data is aggregated to a log server or security information event manager, the events will appear jumbled, and analytics and correlation engines will not be able to process the data for unusual behavior or indicators of compromise. This becomes a security nightmare and a formidable challenge for any cyber forensics investigations. Some savvy threat actors may even tamper with NTP, knowing that it will complicate forensic log analysis and make their actions and tracks harder to uncover amidst the data noise.
Good security starts with good timing. Good timing implies that all resources in an environment—from cameras to servers—all have the correct time. In order to set the correct time, the most common method is to use an NTP server—but not every device needs to be an NTP client. For example, in virtual environments, instances can sync their clocks with the hypervisor and then the hypervisor with an NTP server. The point is simple--all devices need to have the same time, and they must periodically reset their clocks such that all log, operational data, alerts, and runtime have the proper time.
While NTP is 34 years old, the foundation it provides should not be overlooked for fundamental cybersecurity hygiene.
How you can ensure your organization does not succumb to the hazards of mis-timing?
Validate that your resources are using a clock synchronization server and that it is secure and accurate. You can also use a solution, such as BeyondTrust Vulnerability Management, for verification of the proper NTP settings on workstations and servers.
If you’d like to learn more about how BeyondTrust can help you identify and remediate vulnerabilities (including those from misconfigurations and other system defects) across all platforms and devices, contact us today.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.