The issue of cybersecurity time

There is one thing that is most often not debated when it comes to cybersecurity.

This thing is time and it is effective. When we talk about time, we can allude to several things. For example, when a subscription, password, or IT services expire. There are also the intervals of security updates and audits. The question of time is vast but still necessary because poor control of time in the field of cybersecurity and it in general can cause enormous consequences often Irreversible. Stéphane Reytan, Specialist at BlueTrusty confirms this meant: "The importance of time in computing Without a reliable time, most computer systems will fail: expiration of passwords, incorrect validity of SSL certificates (making Internet browsing almost impossible), desynchronization of computational and storage clusters, planned tasks launched at the wrong time or not at all, non-faithful management of the retention of backups and logs… ».

This article will also interest you: Fighting Cyber-Malaria: Cybersecurity Teams with IT Support

In 2013, the National Information Systems Security Agency (ANSSI) published recommendations on time in the field of information technology. These recommendations focused on the logging system, which is also imposed on companies by being in the category of OPVs (Vital Importance Operators and OSE (Vital Importance Operators and Essential Service Operators). Recommendation number 3 notes: "Equipment clocks must be synchronized to several consistent internal time sources. These sources can themselves be synchronized to several reliable external sources, except for isolated networks. [..] it is important to adopt an appropriate configuration logic to ensure the temporal consistency of logs at the collection server level." Clearly, time management responds to the coherence necessary to define a viable cybersecurity policy. Otherwise it would be difficult to have an infrastructure that works properly.

Moreover, since the majority of systems are community-based, it is not uncommon to see that the identities of many owners are unknown or simply not established. In such a context, if we assume that it is possible to have a source of trust via the Internet, is the transport of time secure? This question is obvious because it would be difficult if not impossible to achieve this. Speaking of NTP, the BlueTrusty specialist noted: "For current implementations, good practices for securing the NTP stream are described in RFC 863[X]3 dated July 2019. The main security measure used is the authentication of messages via the use of a shared secret: a symmetrical encryption key (MD5 traditionally, AES-128-CMAC more recently) to sign messages. This key is static and should be renewed periodically. ». However, he reminds us: "Unfortunately, there is no mechanism for managing the life cycle of this key (distribution, expiration). Specifically, the security extension to the NTP protocol called Auto[Y]Key, which was intended to automate the renewal of authentication keys, has critical vulnerabilities and therefore needs to be deactivated[W]. ».

Today, the idea is to do everything possible to overcome the security flaw in this aspect. Awaiting approval from the Internet Engineering Task Force (IETF), the body responsible for developing and promoting internet standards, a new additional mechanism is being developed. This mechanism is the NTS for Network Time Security, an extension of NTPv4. A significant step forward in securing time on computer networks. Even if this will not suffice as Stéphane Reytan says: "NTS will not solve all the problems in the case of partitioned networks – thus without Internet access – or . well criticality of the availability and authentication of the time service, well-known context of the OIV and OSE (…) In this case, the best alternative is to equip yourself with NTP "boxes" that recover time via radio waves (ideally via the "hourly sign[G]al") or by GPS (extra-European system, unless explicitly using GALIL[H]EO) and then distribute it locally on IP networks via NTP (possibly with the use of the NTS extension). ».

Now access an unlimited number of passwords:

Check out our hacking software