Cybersecurity

Apply the NIST Cybersecurity Framework (CSF) to build and measure your organization’s security posture.

Contents

  1. What is the NIST CSF?
  2. Identify
  3. Protect
  4. Detect
  5. Respond
  6. Recover
  7. Implementation Tiers

What is the NIST CSF?

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the National Institute of Standards and Technology. It provides a common language and systematic methodology for organizations to manage and reduce cybersecurity risk.

The framework is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 (released 2024) adds a sixth function: Govern.

Identify

Understand your organization’s cybersecurity risks to systems, assets, data, and capabilities.

  • Asset inventory — document all hardware, software, and data assets
  • Business environment — understand your mission, objectives, and dependencies
  • Risk assessment — identify and evaluate threats and vulnerabilities
  • Risk management strategy — establish risk tolerance thresholds
  • Supply chain risk — assess third-party and vendor risks
# Example: quick asset discovery on your network
nmap -sn 192.168.1.0/24 | grep -E "(Nmap scan|Host is up)" 

# List running services and their versions
sudo ss -tulpn
sudo systemctl list-units --type=service --state=running

Protect

Develop and implement safeguards to limit the impact of a cybersecurity event.

  • Identity management — enforce MFA, least privilege, and strong passwords
  • Awareness training — regular security training for all staff
  • Data security — encryption at rest and in transit, DLP controls
  • Maintenance — apply patches promptly, automate where possible
  • Protective technology — firewalls, EDR, WAF, IPS
# Enable automatic security updates (Ubuntu)
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Enforce SSH key-only authentication
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl reload sshd

Detect

Implement activities to identify cybersecurity events in a timely manner.

  • Anomalies and events — establish baselines and alert on deviations
  • Security monitoring — continuous log collection and SIEM
  • Detection processes — documented procedures for detecting incidents
# Monitor authentication failures
sudo journalctl -u ssh --since "24 hours ago" | grep "Failed"

# Watch for new processes
sudo auditctl -w /usr/bin -p x -k exec_watch

# Check failed login attempts
sudo lastb | head -20

# Intrusion detection with AIDE
sudo apt install -y aide
sudo aideinit
sudo aide --check

Respond

Develop and implement response activities for detected cybersecurity incidents.

  • Response planning — documented incident response plan (IRP)
  • Communications — notify stakeholders, regulators, and users as required
  • Analysis — investigate incident scope and impact
  • Mitigation — contain and eradicate the threat
  • Improvements — update procedures based on lessons learned
# Isolate a compromised server (block all traffic except your IP)
sudo ufw default deny incoming
sudo ufw allow from YOUR_IP_HERE to any port 22
sudo ufw enable

# Capture a process list snapshot at incident time
ps auxf > /tmp/incident_processes_$(date +%Y%m%d_%H%M%S).txt

# Preserve logs before they rotate
sudo cp /var/log/auth.log /tmp/auth_log_backup_$(date +%Y%m%d).log

Recover

Develop and implement activities to restore services impaired by a cybersecurity incident.

  • Recovery planning — documented and tested recovery procedures
  • Improvements — incorporate lessons from incident into future protections
  • Communications — keep stakeholders informed during and after recovery
# Restore from S3 backup
aws s3 sync s3://your-backup-bucket/server-backup/ /restore/

# Verify system integrity after restore
sudo debsums -c    # check Debian package checksums
rpm -Va            # verify RPM package integrity (RHEL/CentOS)

Implementation Tiers

NIST CSF defines four tiers that describe the sophistication of an organization’s risk management practices:

  • Tier 1 — Partial: Ad hoc, reactive. No formal processes.
  • Tier 2 — Risk Informed: Risk management approved but not policy-enforced.
  • Tier 3 — Repeatable: Formal, documented policies consistently applied.
  • Tier 4 — Adaptive: Continuous improvement; threat intelligence integrated.

Most organizations should aim for Tier 3 as a baseline. Tier 4 is appropriate for critical infrastructure and highly regulated industries.