IT administrators are racing to update systems ahead of the March 11 start to daylight-saving time (DST). Nobody's...
concerned about the firewall or antivirus software flaking out, but anxiety abounds over other potential security consequences.
Starting this year, DST will be extended by four weeks in the U.S., Canada, Bermuda and the Bahamas because of the Energy Policy Act of 2005. It will begin the second Sunday of March instead of the first Sunday in April, and will be extended until the first Sunday in November instead of the last Sunday in October. IT shops must now apply a series of patches from their various IT vendors to ensure electronic appointment calendars and other software tools aren't knocked off kilter when the clocks spring an hour ahead.
While basic security tools won't be affected by the switchover, some IT administrators fret about possible timing glitches in their forensic and auditing tools, while others worry about security fixes gathering dust as IT shops focus instead on DST patching. Network access controls could also be affected, they say.
"Really, anything that is time sensitive could be problematic," said Joshua Lutz, network analyst for a large New England law firm. "For a basic example, think of a building security system that does not change time correctly. If you limit the times a particular employee can access the facility, what happens when they show up to work at the correct time but the security system thinks it's an hour too early? In that example, it is merely an inconvenience, but it illustrates a problem that could have more severe consequences."
Lutz also worries about the potential impact on network auditing.
"Say your user account is utilized to perform some nefarious action by someone impersonating you just after you leave your shift, but according to the building security system you hadn't left yet because it's an hour behind," he said in an email. "Is it problematic? Yes. Is it discoverable? Yes. Is it fixable? Yes. Is someone going to have a really bad day who might not deserve it? Maybe."
Y2K all over again?
Jay Wessel, vice president of technology for the Boston Celtics, is pretty confident his security appliances and software will hold up to the DST switch because it's not necessarily critical that the devices know the correct time. But he does worry about some unforeseen security side effects. Like Lutz, he lists access controls to the building as one potential problem.
"It's like Y2K, you don't know until it happens," he said. "On March 11 I'll be playing close attention."
While predictions of Y2K disaster never came to pass, IT administrators were sent scrambling to update systems as they are doing now. The DST change is a bigger deal than Y2K, according to Jeffrey Jarzabek, IT director for Matocha Associates, an Oakbrook Terrace, Ill., firm specializing in architecture, engineering, general contracting and construction management.
"My entire staff didn't know about it until I brought it up last month," he said, noting that no one seems to know or remember that Congress passed the Energy Policy Act in 2005. In contrast, people discussed Y2K for years and made elaborate plans well ahead of time.
From a security standpoint, he worries about his Active Directory access control settings going out of balance.
"Active Directory is constantly synching across the network whether it be to remote users or workstations and other servers," he said in an email exchange. "If these synchronizations do not occur and policies are not updated it could prevent users form logging on. That's a major problem. What happens if a security fix is issued and then put out using GPO (group policy objects) but the update doesn't synchronize? You now have a security hole."
Security patches on the backburner
Another problem is that IT shops may be leaving security fixes on the back burner, focusing instead on the mountain of DST patches, said Susan Bradley, a Microsoft MVP and IT expert at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif. That's particularly worrisome when one considers the volume of critical security fixes Microsoft released in February alone.
"This is really overshadowing security patching," she said. "If you look at the patch management lists, everyone is really focusing on DST right now. Eighty percent of the questions out there are on DST and the remaining 20% are security-based."
Bradley is a regular voice on the patch management email forum hosted by Roseville, Minn.-based Shavlik Technologies, where questions and comments have overwhelmingly been focused on DST in recent weeks.
Vendors accused of moving too slowly
IT administrators are nearly unanimous in their view that their IT and security vendors have been moving too slowly to address DST. Lutz is particularly frustrated with Microsoft.
"Some [vendors] fixed this a long time ago and it's a non-event. Others are adopting the ostrich strategy of putting their heads in the sand and others are responding in a typical knee-jerk reactive mode," he said, adding that Microsoft falls in the latter column.
He noted that Microsoft came out with its patch for Exchange in mid-to-late January then replaced it with a new version in the last two weeks, leaving just over a month to get it deployed. He is also critical of the software giant for leaving customers with systems older than Windows XP in the dust. Microsoft no longer offers mainstream support for Windows 2000, for example, and those who are using that version must pay for their DST patch.
Wessel agrees Microsoft should have acted sooner, but he believes other vendors have been equally lax. Research In Motion Ltd. (RIM), for example, only released a DST fix for its BlackBerry devices in the last couple weeks and for BlackBerry servers in the last week. That, he said, is just too late.
"IT vendors have probably been a bit more quiet about this than they should have been," Wessel said. "Some vendors are not saying much of anything, and they need to say more."
Microsoft defends its response
M3 Sweatt, chief of staff for Microsoft's Windows Core Operating System Division, defended the software giant's handling of the DST issue. While some IT administrators say the company waited too long to respond, Sweatt noted that Microsoft first started putting out information on the DST change the middle of last year, and that the information has been updated regularly on the company Web site.
"We've tried to be very proactive in making people aware of the DST change and the effect it would have on them," he said. "We decided that once we fell back in 2006, we'd start posting the initial operating system updates. That has been followed by a number of updates for different products."
Sweatt said Microsoft has offered very specific guidance to business environments. "We've provided a series of free tools to help them deal with calendar items that may need to be shifted by a single hour," he said. "We've provided fairly comprehensive guidance on the Web site, where IT administrators can get information on which products are impacted and what steps they need to take to update those products accordingly."
He acknowledged that customers with older product versions have to pay for their patches, but that they have not been left out in the cold as some have suggested.
"One of the things we've done is provide detail on how to manually update systems that are no longer under mainstream support, like Windows 2000," he said. "There had to be a fee for us to recover the costs for maintaining older software ... which includes maintaining a team of engineers to deal specifically with older products. We have also provided detailed instructions on how to make manual updates for free."
Is this really that big a deal?
While the DST change is causing a lot of anxiety, one analyst wonders if it's really worth all the fuss.
"For the life of me, I can't figure out what the big deal is, and how it could ever compare to Y2K," Pete Lindstrom, senior analyst at Midvale, Utah-based Burton Group, wrote in his Spire Security Viewpoint blog. "There is a big difference between being off by 100 years and off by an hour."
He said that if an hour really matters to the performance of business applications, IT shops should have a strong handle on it by now.
"The most interesting thing about the DST issue is that it brings time into the limelight," he said. "We really don't work too hard to ensure the validity of our entire time infrastructure on the Internet, anyway. In the same way that we can spoof email addresses and electronic signatures, we can also spoof time."
His advice to IT security professionals: Don't worry about an hour here or there. Instead, worry about the integrity of your entire time infrastructure.