Analecta Cyber Company Blog: Cryptographic Hashes: Verifying the Integrity of Your File System Baseline

2018-10-16

Cryptographic Hashes: Verifying the Integrity of Your File System Baseline

MD5 and SHA Checksum Utility Graphic Cryptographic Hashes - Verifying the Integrity of Your File System Baseline - Analecta LLC banner Graphic We have discussed the importance of establishing a baseline for data flow across your network and the criticality of identifying abnormal activity before it wreaks havoc on your business systems. The National Institute of Standards and Technology (NIST) recommends IT cybersecurity teams use cryptographic hashes to detect unauthorized changes to software, firmware and information stored on your network.

What is a cryptographic hash? 


A cryptographic hash of a single file (or a collection of files) is like a unique digital fingerprint. Creating a hash value is straightforward, from simple command-line tools to GUI downloads for a multitude of protections.

Cryptographic hash functions are algorithms that create a hash for the purpose of establishing a baseline for your file system. Comparing a hash value calculated for some set of files with the hash value of the same files after some time interval confirms that the contents were not altered intentionally or maliciously (for example, by a virus).

MD5 and SHA Checksum Utility Graphic
There are many applications that can create a cryptographic hash (or unique fingerprint) of a file or file system. MD5 and SHA Checksum Utility 2.1 is but one of a handful of hash-producing tools.


Cryptographic hash standards


There are several cryptographic hash standards that are known and used in the cyber community. They stem from two primary hash families:

   MD family (MD = message digest), currently on version 5:
  • MD5 - The MD5 algorithm is a widely used hash function that produces a 128-bit value (that's 2 to the 128th power!). It is most frequently used as a checksum to compare hashes from different times and verify file or data integrity.  MD2 was started in 1989 for 8-bit computing, and replaced a year later by MD4 for 128-bit computing.
   and the SHA family (SHA = secure hash algorithm):
  • SHA-1 - Released in 1995, this hash function allows for more stringent 160-bit values. 
  • SHA-2 - It's successor, the National Security Agency (NSA)-designed SHA-2 family has several hash functions that produce values up to 512 bits.  
  • SHA-3 - NIST published SHA-3 as a hashing standard in 2015. Although computed differently than MD5 or SHA-2, the output hash values are the same lengths as SHA-2. 

What information is included in a baseline


Design your file system baseline with your critical applications in mind. A minimal baseline should contain metadata for:
  • All device files
  • Critical system libraries
  • System binaries
  • System configuration files
In turn, the file metadata will include:
  • The type of file
  • The file owner
  • Modification times
  • File size
  • A cryptographic hash of the file's contents
Record your baseline and keep a copy of it in an offline storage medium for use during a response or recovery action. Update your records as the baseline is updated and record the date of any changes. It is also a good practice to take a hash of any backups that are sent off for storage and check the hash before recovering from the backup, in case the backup itself has somehow been corrupted. 

Now implement it!

Establishing baseline hashes and running these hashes against all of the systems across your network can take a considerable amount of time to accomplish. One way to make this process more efficient is to use the same starting image across devices of the same type. For example, create an install image for users workstations that includes all of your required applications and their corresponding updates. Once you have verified that there are no errors or corruption to this image, create a hash of the image. As you add new workstations, start with that install image and verify the hash after the installation.

Now that you have a starting point, update the baseline hash values as software is updated. Download the updates, validate the installation and confirm there are no errors or viruses, and create a new hash. If you try to compare baseline hashes of each of the different workstations against the image baseline without specifying the core files, the hashes will always be different as each user will have downloaded or created different files. Be sure to document which files are part of the baseline and update that list when changes are made. Include the names of the individuals making changes and the dates of the changes in your documentation.

Analecta’s EarlyWarning system


It is critical to have your finger on the heartbeat of your systems and networks. Identifying network traffic that seeks to compromise the integrity of your systems is a priority for any network owner, but it can be a difficult task to manage with a small staff. The Analecta EarlyWarning system is an Intrusion Detection System (IDS) that takes much of the guesswork out of the equation.


Analecta’s EarlyWarning Network Intrusion Detection System is designed to identify atypical network events and alert IT security staff of possible intrusion activity. The EarlyWarning system is a pairing of an on-site sensor and a cloud-based event collection platform. It integrates easily into nearly any small or medium-size business network.

Following a 30-day acclimation period, false-positive alerts from your network are analyzed and resolved, and the software reconfigured to create a baseline tailored for your specific network. After the training window, active alerts are configured to send event information to your company’s IT or security staff.

Threatening actions within your company’s internal network will be detected and alerts will be sent instantly via text message or email to your designated technical points of contact. During a potential attack, Analecta’s intrusion analysts and system engineers are able to support your efforts to contain and eradicate a cyber attack, and can assist you in recovery to normal business operations. 

If you are looking for expert advice on implementing a cybersecurity program for your company, implementing your file system baseline strategy or would like to learn more about the EarlyWarning anomaly detection system, email us at info@analecta-llc.com or visit the Cyber Security page on our website. We are here to help!

Further Resources

2 comments :