Protecting the Integrity of Time Data

PCI Requirement 10.4.2 requires that through time-synchronization technology, time data is protected. Organizations must implement controls to protect time data from unauthorized access or modification. Why? Malicious attackers may seek to modify time data to hide what actions they’ve taken over a period of time.

The testing procedures for PCI Requirement 10.4.2 requires that assessors examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data. An assessor will also need to verify that any changing to time settings on critical systems are logged, monitored, and reviewed.

Now that we have NTP established within our environment, we need to implement controls around protecting it from unauthorized modification. If I’m Hacker Joe and I’m in your environment, I may want to skew your NTP server to hide what I’ve done over a period of time. What’s specific to PCI Requirement 10.4.2 is that you need to have controls specific to protecting the integrity of the time within your environment. Your assessors are going to be looking that data. They’re also going to be looking for the controls that you’ve established and making sure that whatever you’ve documented is done securely.

Chronological Events

PCI Requirement 10.4.1 requires that critical systems have the correct and consistent time so that chronological events can be recreated. Without proper and consistent synchronization, it’s almost impossible to compare logs to systems and determine an exact sequence of events. Compliance with PCI Requirement 10.4.1 is crucial during incident response.

There are several testing procedures to verify compliance with PCI Requirement 10.4.1. The PCI DSS states that assessors should observe the process for acquiring, distributing, and storing the correct time within an organization and observe the time-related system-parameter settings for a sample of system components to verify that:

• Only the designated central time servers receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
• Where there is more than one designated time server, the time servers work with one another to keep accurate time.
• Systems receive time information only from designated central time servers.

An assessor will follow these testing procedures and observe time management systems to ensure that critical systems have the correct and consistent time.

From a forensics perspective, if we try to recreate chronological events of what occurred, and all of these systems are on separate time syncs, it gets very difficult to identify what occurred. For PCI Requirement 10.4.1, there are several testing requirements that we look for around managing the NTP, or the time management of your systems, to ensure that all of these critical systems are on the same time sync. This would be everything from having configuration standards that define how to go about configuring NTP, using designated time servers for the NTP service, and protecting the time authentication processes. From an assessment perspective, we’re going to be asking for that data. We’re going to be pulling the time configuration off of your firewalls, routers, domain controllers, and member servers. We’re going to look to make sure that whatever you’re doing from an organizational perspective, you’ve documented in your standards is actually how you have NTP managed and implemented within the environment.

Why do System Clocks and Times Need to be Synchronized?

Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times, and ensure that the following is implemented for acquiring, distributing, and storing time:

• Critical systems have the correct and consistent time.
• Time data is protected.
• Time settings are received from industry-accepted time sources.

Why do organizations need to synchronize all critical system clocks and times? Let’s say your organization has 20 machines and each one is synchronized differently. Wouldn’t it be incredibly difficult to create a chronological order of events, when the time on each machine is different? The PCI DSS guidance for PCI Requirement 10.4 states, “When clocks are not properly synchronized, it can be difficult, if not impossible, to compare log files from different systems and establish an exact sequence of event (crucial for forensic analysis in the event of a breach). For post-incident forensics teams, the accuracy and consistency of time across all systems and the time of each activity is critical in determining how the systems were compromised.”

To verify compliance with PCI Requirement 10.4, an assessor will want to examine configuration standards and processes for time-synchronization technology.

Now that you have logging enabled and are logging the correct events, remember that one of the requirements in PCI Requirement 10.3 said that we have to capture the time and date. From a forensics perspective, if we have 20 machines and each of these machines are on a different time sync, it makes it difficult to create a chronological event of how things occur. PCI Requirement 10.4 establishes the need to have some type of time management within your organization, and that we have central points of time management and configuration standards around how we’re going to be configuring the time management in our environment to operate.

Which Assets were Impacted?

In order to identify which assets are impacted by malicious activities, PCI Requirement 10.3.6 requires that every log details the identity or name of affected data, system component, or resource. This will help organizations identify what malicious actions were taken and what the defense was.

Through interviews and observation, auditors will try to verify that the identity or name of affected data, system component, or resource is included in log entries.

Every log that’s generated needs to contain the identity of the asset that was trying to be accessed or manipulated, so that we can identify what was messed with, what was done, or what it was done to as part of the log defense.

Where did an Event Begin?

When an event occurs, organizations need to know where it came from, so they can trace back to where it happened. PCI Requirement 10.3.5 requires that every log details the origination of event. By doing so, an organization can always identify where an event occurred.

Through interviews and observation, auditors will try to verify that the origination of the event is included in log entries.

Every log that’s generated needs to contain the origination of the event. This means that when an event takes place, we need to know where it came from in order to track back to where it happened.