Cybersecurity Practical Guide for MBA Students

Module: Legal Aspects of Business / IT Management (or relevant module) – Practical Session

Topics: 2FA, DKIM/SPF, WordPress Hack Recovery, Web Hosting Security, SSL Installation, .htaccess, Sucuri SiteCheck, Social Media & Phone Privacy, Dos and Don’ts.

Introduction:

This guide provides practical steps and considerations for implementing various cybersecurity measures. While specific commands and interfaces vary depending on the platform or service provider, these steps outline the general process and key areas to focus on.

1. Two-Factor Authentication (2FA)

Concept: Adds a second layer of security beyond just a password. Even if someone steals your password, they also need access to your second factor (e.g., phone app, SMS code, hardware key) to log in.

Practical Steps (General):

1. Identify Critical Accounts: Prioritize enabling 2FA for email (especially primary recovery email), banking, social media, cloud storage, and any work-related accounts.
2. Navigate to Security Settings: Log in to the account and find the ‘Security’ or ‘Login & Security’ section in the account settings/profile.
3. Find 2FA/Two-Step Verification Option: Look for options like “Two-Factor Authentication,” “Two-Step Verification,” or “Login Approval.”
4. Choose a Method: You’ll typically be offered options:

• Authenticator App (Recommended): Use apps like Google Authenticator, Microsoft Authenticator, Authy, or Duo Mobile. You’ll scan a QR code to link the account, and the app generates time-sensitive codes.
• SMS Codes: Receive codes via text message. Convenient but less secure than authenticator apps (SIM swapping risk).
• Hardware Security Keys (Most Secure): Physical devices (like YubiKey) that plug into USB or use NFC.
• Email Codes (Least Secure): Avoid using this if possible, especially if it’s the same email account you’re securing.

5. Follow Setup Instructions: The service will guide you through linking your chosen method.
6. Save Backup Codes: Most services provide one-time use backup codes. Save these securely offline (print them, store in a safe place). They are crucial if you lose access to your second factor.
7. Test: Log out and log back in to ensure 2FA is working correctly.

2. DKIM & SPF (Email Authentication)

Concept: These are DNS (Domain Name System) records that help prevent email spoofing (where attackers send emails pretending to be from your domain). They authenticate your outgoing emails.

• SPF (Sender Policy Framework): Specifies which mail servers are authorized to send emails on behalf of your domain.
• DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails, allowing receiving servers to verify the email originated from an authorized server and wasn’t tampered with.

Practical Steps (General – Requires DNS Access):

1. Identify Your Email Sender: Determine which services send email using your domain (e.g., Google Workspace, Microsoft 365, Mailchimp, your web server).
2. Obtain SPF/DKIM Records: Your email service provider will provide the specific SPF rules and DKIM public keys (often as TXT records) you need to add.

• Example SPF (Conceptual): “v=spf1 include:_spf.google.com include:servers.mcsv.net ~all” (This allows Google and Mailchimp, soft fail others).
• Example DKIM (Conceptual): You’ll typically get a selector name (e.g., google) and a long public key value.

3. Access Your Domain’s DNS Settings: Log in to your domain registrar (e.g., GoDaddy, Namecheap) or DNS hosting provider (e.g., Cloudflare).
4. Create TXT Records:

• For SPF: Create a TXT record for your main domain (@ or yourdomain.com.). Paste the SPF rule provided by your email service into the value field. Note: You should only have ONE SPF record per domain. If you use multiple services, merge their rules into one record.
• For DKIM: Create a TXT record. The ‘Host’ or ‘Name’ will be specific (e.g., google._domainkey.yourdomain.com.). Paste the DKIM public key value provided by your email service into the value field. You might need multiple DKIM records if you use multiple sending services.

5. Save Changes & Wait: DNS changes can take time to propagate (minutes to 48 hours).
6. Verify: Use online SPF/DKIM check tools (e.g., MXToolbox) to verify your records are set up correctly after propagation. Your email provider might also have a verification tool in their admin panel.

(Note: Also consider setting up DMARC (Domain-based Message Authentication, Reporting & Conformance), which builds on SPF/DKIM and tells receiving servers how to handle emails that fail checks.)

3. WordPress Hack Recovery (Basic Steps)

Disclaimer: If you suspect a serious hack, especially involving sensitive data, consider engaging professional cybersecurity help. These are basic steps.

1. Isolate Your Site (If Possible): Put your site into maintenance mode using a plugin or .htaccess rule (Redirect 503 /).
2. Scan Your Computer: Ensure your own computer isn’t compromised, as stolen FTP/admin passwords are a common infection vector.
3. Change Passwords: Immediately change passwords for: WordPress Admin users, database users, hosting account, FTP/SFTP accounts. Use strong, unique passwords.
4. Check User Accounts: Look for any unfamiliar administrator accounts in WordPress and delete them.
5. Scan Your Site: Use security plugins (like Wordfence, Sucuri Security) to scan for malware, backdoors, and modified core files. Also use external scanners (like Sucuri SiteCheck).
6. Clean Infected Files:

• Restore from Backup (Best Option): If you have a recent, clean backup, restore it. This is often the quickest way.
• Manual Cleaning (Advanced): Carefully identify and remove malicious code or files identified by scans. Compare core files/plugins with fresh copies from WordPress.org or the plugin developer. Be cautious not to delete essential files.
• Reinstall Core Files: Use the WordPress dashboard (Dashboard -> Updates -> Re-install version X.X.X) to replace core files.
• Reinstall Themes/Plugins: Reinstall themes and plugins from official sources after noting your settings. Delete any unused/suspicious ones.

7. Check .htaccess and wp-config.php: These are common targets. Look for suspicious rules or code. Restore from clean copies if unsure.
8. Rescan: Run scans again to ensure the site is clean.
9. Update Everything: Ensure WordPress core, themes, and plugins are fully updated.
10. Harden Security: Implement preventative measures (see Web Hosting Security, .htaccess).
11. Remove Maintenance Mode.
12. Request Review (If Blacklisted): If your site was blacklisted by Google or others, request a review via Google Search Console after cleaning.

4. Security in Web Hosting Platforms

General Practices (Apply to most hosting types – Shared, VPS, Dedicated):

1. Choose a Reputable Host: Look for hosts with good security track records, server monitoring, and support.
2. Strong Credentials: Use strong, unique passwords for your hosting control panel (cPanel, Plesk, etc.), FTP/SFTP accounts, and database users. Enable 2FA if offered by the host.
3. Keep Software Updated: Regularly update your CMS (WordPress, Joomla, etc.), themes, plugins, and any server-side software (PHP, Apache/Nginx if managing a VPS/Dedicated server).
4. Regular Backups: Implement an automated backup solution (often provided by the host, but also use independent backup plugins/services). Store backups off-server. Test your restore process periodically.
5. Use SFTP/SSH: Prefer secure protocols (SFTP, SSH) over plain FTP for file transfers.
6. Limit File Permissions: Set appropriate file permissions (e.g., 755 for directories, 644 for files is common). Avoid overly permissive settings like 777.
7. Install Security Plugins/Tools: Use reputable security plugins for your CMS (e.g., Wordfence, Sucuri Security for WordPress) for firewalling, scanning, and login protection.
8. Use SSL/TLS: Encrypt traffic between your site and visitors (see next section).
9. Monitor Logs: Periodically check server access and error logs for suspicious activity (more relevant for VPS/Dedicated).
10. Web Application Firewall (WAF): Consider using a WAF (like Cloudflare, Sucuri WAF, or built-in options from your host) to filter malicious traffic before it reaches your site.

5. SSL/TLS Installation

Concept: Secure Sockets Layer/Transport Layer Security encrypts data transferred between a user’s browser and your web server (HTTPS). Essential for security, trust (padlock icon), and SEO.

General Process:

1. Obtain an SSL Certificate:

• Via Hosting Provider: Many hosts offer easy SSL installation (often free via Let’s Encrypt) directly through their control panel (cPanel AutoSSL, Plesk SSL It!). This is the simplest method.
• Let’s Encrypt (Free): A popular free, automated certificate authority. Often integrated into hosting panels or can be used with tools like Certbot on VPS/Dedicated servers. Certificates are valid for 90 days and need automated renewal.
• Commercial CAs: Purchase certificates from providers like Comodo, DigiCert, GlobalSign. Offer different validation levels (DV, OV, EV) and longer validity (typically 1 year).

2. Generate a CSR (Certificate Signing Request): If not using an automated host process, you’ll need to generate a CSR on your server. This contains your domain name and public key information.
3. Domain Validation: The CA needs to verify you own the domain. This is usually done via email validation, DNS record validation, or HTTP file validation. Follow the CA’s instructions.
4. Receive & Install Certificate: Once validated, the CA issues the certificate files (usually .crt, .ca-bundle). Install these on your web server via your hosting control panel or server configuration files (Apache/Nginx). Your host’s documentation or support can guide you.
5. Configure Web Server for HTTPS: Ensure your web server (Apache, Nginx) is configured to use the installed certificate for port 443 (HTTPS).
6. Force HTTPS: Redirect all HTTP traffic to HTTPS using .htaccess (see below) or server configuration to ensure all connections are secure.
7. Test: Use online SSL checker tools (e.g., SSL Labs SSL Test) to verify correct installation and configuration. Check your site in a browser for the padlock icon.

6. .htaccess Security Directives (Apache Web Server)

Concept: .htaccess is a configuration file used by the Apache web server. You can add directives to it to enhance security. Caution: Incorrect syntax can break your website. Always back up the file before editing.

Location: Usually in the root directory of your website (e.g., public_html). It might be hidden; enable “Show Hidden Files” in your file manager/FTP client.

Example Directives:

# Protect sensitive files like .htaccess itself and wp-config.php (WordPress)
<FilesMatch "^(\.htaccess|wp-config\.php)$">
  Require all denied
</FilesMatch>

# Disable directory browsing/listing
Options -Indexes

# Prevent execution of PHP in uploads directory (WordPress example)
<Directory /path/to/your/wp-content/uploads>
  <Files *.php>
    Require all denied
  </Files>
</Directory>
# (Replace /path/to/your/ with the actual server path)

# Force HTTPS (ensure SSL is installed first!)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block access based on IP address (replace with actual IPs)
# Require all granted
# Require not ip 192.168.1.100
# Require not ip 10.0.0.

# Prevent hotlinking of images (replace yourdomain.com)
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

(Note: Nginx uses a different configuration file structure, not .htaccess.)

7. Sucuri SiteCheck

Concept: A free online tool (sitecheck.sucuri.net) that scans your website externally for known malware, blacklisting status, website errors, and outdated software.

How to Use:

1. Go to sitecheck.sucuri.net.
2. Enter your website URL (e.g., https://www.yourdomain.com).
3. Click “Scan Website”.
4. Review the results:

• Malware: Checks for known malicious code injections.
• Blacklisting: Checks against services like Google Safe Browsing, McAfee, etc.
• Website Firewall: Detects if a known WAF is present.
• Website Details: Shows CMS version (if detectable), server IP, etc. (Check for outdated software).
• Links & Scripts: Lists external scripts loaded (review for anything suspicious).

5. Action: If issues are found (malware, blacklisting), investigate further using server-side scanners (like Wordfence/Sucuri plugin) or follow hack recovery steps.

8. Facebook & WhatsApp Privacy Settings

General Advice: Regularly review privacy settings as platforms update features and defaults can change.

Facebook:

1. Privacy Checkup: Use Facebook’s guided tool (Settings & Privacy -> Privacy Checkup). It covers who sees your posts, profile info, app permissions, and ad settings.
2. Audience Selector: Be mindful of the audience (Public, Friends, Only Me, Custom) when posting status updates or photos. Check the default setting.
3. Profile Information: Review who can see your friends list, email, phone number, birthday, etc. (Settings & Privacy -> Settings -> Audience and Visibility).
4. App Permissions: Review apps and websites linked to your Facebook account and remove any you don’t recognize or use (Settings & Privacy -> Settings -> Apps and Websites).
5. Location Services: Control whether Facebook can access your precise location (via phone settings) and review your Location History if enabled.
6. Facial Recognition: Decide if you want Facebook to recognize you in photos and videos (Settings & Privacy -> Settings -> Face Recognition).
7. Ad Preferences: Review your ad interests and information used to show you ads (Settings & Privacy -> Settings -> Ad Preferences).

WhatsApp:

1. Account Privacy Settings: Go to WhatsApp Settings -> Account -> Privacy.
2. Last Seen & Online: Control who sees when you were last active or if you’re currently online (Everyone, My Contacts, My Contacts Except…, Nobody).
3. Profile Photo: Control who sees your profile picture.
4. About: Control who sees your ‘About’ status.
5. Status Privacy: Control who sees your status updates (My Contacts, My Contacts Except…, Only Share With…).
6. Read Receipts: Toggle on/off blue ticks indicating messages have been read (disabling also means you won’t see others’ read receipts, except in group chats).
7. Groups: Control who can add you to groups (Everyone, My Contacts, My Contacts Except…).
8. Live Location: Manage apps/chats you’re sharing live location with.
9. Blocked Contacts: Manage blocked users.
10. Two-Step Verification: (Settings -> Account -> Two-Step Verification) Highly recommended. Adds a PIN code required when registering your phone number with WhatsApp again.

9. Android Phone Privacy & Security Settings

Location: Settings menus vary slightly by manufacturer and Android version.

1. Permissions Manager: (Settings -> Privacy -> Permission manager OR Settings -> Apps -> App permissions) Review which apps have access to sensitive permissions like Location, Camera, Microphone, Contacts, Files, Phone. Revoke permissions from apps that don’t need them. Pay attention to “Allow only while using the app” vs. “Allow all the time” for location.
2. Location Services: (Settings -> Location)

• Turn off Wi-Fi and Bluetooth scanning for location if not needed.
• Review and disable Google Location History if desired (via Google Account settings).
• Check Emergency Location Service settings.

3. Google Account Settings: (Settings -> Google -> Manage your Google Account -> Data & privacy) Review Web & App Activity, Location History, YouTube History settings. Configure auto-delete options. Run the Privacy Checkup.
4. Screen Lock: Use a strong PIN, password, or pattern. Consider fingerprint or face unlock as convenient additions (but have a strong fallback).
5. Find My Device: (Settings -> Security OR Settings -> Google -> Find My Device) Ensure it’s enabled to locate, lock, or wipe your phone if lost or stolen.
6. App Installation: Only install apps from the Google Play Store. Disable “Install unknown apps” for browsers and other apps unless you have a specific, trusted reason. Review app permissions before installing.
7. Software Updates: Install Android OS updates and security patches promptly when available.
8. Network Settings: Be cautious connecting to unknown public Wi-Fi networks. Use a VPN on public Wi-Fi if handling sensitive data.

10. General Cybersecurity Dos and Don’ts

Dos:

• DO use strong, unique passwords for different accounts. Use a password manager.
• DO enable Two-Factor Authentication (2FA) wherever possible.
• DO keep your operating system, browser, and applications updated.
• DO back up your important data regularly.
• DO be suspicious of unsolicited emails, messages, or calls asking for personal information (phishing). Verify requests through official channels.
• DO check URLs carefully before clicking links or entering credentials. Look for HTTPS.
• DO install reputable antivirus/anti-malware software on your computers and phones.
• DO review app permissions and privacy settings regularly.
• DO use secure Wi-Fi networks. Use a VPN on public Wi-Fi.
• DO lock your devices (computer, phone) when unattended.

Don’ts:

• DON’T reuse passwords across multiple websites.
• DON’T click on suspicious links or download attachments from unknown senders.
• DON’T share sensitive personal information (passwords, OTPs, financial details) via email or unsecure messages.
• DON’T install software from untrusted sources.
• DON’T ignore software update notifications.
• DON’T use unsecured public Wi-Fi for sensitive transactions (banking, shopping) without a VPN.
• DON’T leave your devices unlocked and unattended.
• DON’T overshare personal information on social media.
• DON’T grant excessive permissions to mobile apps.
• DON’T believe every offer or warning you see online – verify independently.

Conclusion:

Cybersecurity is an ongoing process, not a one-time fix. Regularly reviewing settings, staying informed about threats, and practicing good security hygiene are essential for protecting yourself and your business assets in the digital world.

Related reading: 4 Cyber Security Protection Strategies for Small Businesses