Early DST start causes security heartburn

Starting this year, DST will be extended by four weeks in the U.S., Canada, Bermuda and the Bahamas because of the Energy Policy Act of 2005. It will begin the second Sunday of March instead of the first Sunday in April, and will be extended until the first Sunday in November instead of the last Sunday in October. IT shops must now apply a series of patches from their various IT vendors to ensure electronic appointment calendars and other software tools aren't knocked off kilter when the clocks spring an hour ahead.

While basic security tools won't be affected by the switchover, some IT administrators fret about possible timing glitches in their forensic and auditing tools, while others worry about security fixes gathering dust as IT shops focus instead on DST patching. Network access controls could also be affected, they say.

"Really, anything that is time sensitive could be problematic," said Joshua Lutz, network analyst for a large New England law firm. "For a basic example, think of a building security system that does not change time correctly. If you limit the times a particular employee can access the facility, what happens when they show up to work at the correct time but the security system thinks it's an hour too early? In that example, it is merely an inconvenience, but it illustrates a problem that could have more severe consequences."

Lutz also worries about the potential impact on network auditing.

"Say your user account is utilized to perform some nefarious action by someone impersonating you just after you leave your shift, but according to the building security system you hadn't left yet because it's an hour behind," he said in an email. "Is it problematic? Yes. Is it discoverable? Yes. Is it fixable? Yes. Is someone going to have a really bad day who might not deserve it? Maybe."

The link for this article located at SearchSecurity.com is no longer available.