Breach Incident Response Plan

At Membean, we're committed to taking the necessary steps to prevent security breaches and respond accordingly if and when such a breach may occur.

Please note that this does not reflect our detailed internal procedures, but rather provides insight into our response plan that can be shared with the public without exposing any information that may enable someone to more easily breach our systems.

Prevention

We follow industry security best practices to avoid breaches that may compromise user data:

  • We ensure all of our service accounts have two-factor authentication enabled.
  • We prevent external access to our database servers.
  • We ensure that all systems using credientials have proper password complexity.
  • We limit potential attack surfaces by closing all nonessential ports.
  • We block access from Tor and other dark web browsers.
  • We ensure that Membean can only be accessed via the secure https protocol.
  • We restrict administrative access to our Support staff and selected members of our Customer Success team.
  • We periodically train all our teams on security best practices.

Response

If a security incident is detected, we have procedures in place to address the issue. Please note that this is not an exhaustive list, but an overview of our internal protocols for public consumption.

Identify the entry point

  • What did someone have direct access to?
  • What other systems and/or services were at risk as a result?

Contact internal teams and announce the breach

  • See resources document on which team members need to be involved.

Secure access

  • Lock down the exposed vector.
  • Change credentials if the may have been exposed.
  • Confirm there are no lingering open connections (if intrusion is host-based, secure and reboot).

Audit systems to identify all data accessed (if possible)

  • How did they gain access?
  • Scrape application and system logs.
  • Capture and review database logs.
  • Review any service audit logs.

Stop and replace compromised systems

  • If a host is compromised, we'll assume it is not safe. We'll shut it down and replace it with a fresh host. We'll leave the affected systems available to be reviewed by either internal or external teams.
  • In the event of a database breach, we'll take a snapshot of the data and restore it to a new database instance. We're prepared for the possibility of having to restore an older, pre-intrusion version of the data.
  • In the case of an account breach, we'll lock the account.

Contact legal representatives

  • There may be legal requirements to notify affected parties, particularly in the event of a production data breach.

Notify affected parties

  • As soon as the breach is investigated and the immediate threat remediated, all impacted schools will be promptly notified.
  • For schools that have provided a security contact email or an incident coordinator email we'll contact those individuals right away.
  • In addition for all impacted schools:
    • We'll send an email to the primary contact (the Membean administrator) listing the results of our investigation, mitigation and next steps. This email will prompt the Membean administrator to forward it on to the School's security team.
    • We'll display a banner or in-app message to all active teachers listing the results of our investigation, mitigation and next steps.

Dealing with an SSH breach

  • We'll identify the host or hosts which have been affected, as well as the acccount(s) used in the breach.
  • We'll shut down affected hosts immediately.
  • We'll update the credentials of the affected users.
  • We'll spin up replacement hosts immediately.
  • We'll leave affected hosts offline until they can be forensically inspected.
  • We'll notify all affected users.

Dealing with a Gmail breach

  • We'll identify the affected users.
  • We'll disable access to the affected user.
  • We'll check the user's audit trail.
  • We'll check for recent sent and received email messages.
  • We'll identify how credentials were leaked (all our accounts use two-factor authentication, so we'll figure out the entrypoint).
  • We'll notify any affected connections.

Dealing with a database access breach

  • We'll identify the entry point and ensure that it is closed.
  • We'll take a snapshot of the database immediately. It will be marked with the date, time, and that it is a post-intrusion snapshot.
  • We'll identify the intrusion date and time, and ensure that we have a pre-intrusion backup.
  • We'll change the database credentials and update where necessary.
  • We'll restore a copy of the data pre-intrusion to a new location, and do the same with the post-intrusion snapshot.
  • We'll identify if there were any alterations to the data requiring a restore to a pre-intrusion snapshot.
  • We'll notify users of the breach, and any restorative processes that are required.
  • If a restore is required, we'll switch the application to use the newly restored pre-intrusion backup, terminate the original database, and keep the post-intrusion snapshot for further internal investigation.

Dealing with a Membean application acccount breach

  • We'll reset the password on the affected account immediately.
  • We'll lock the account to prevent password resets.
  • If the affected account is a teacher acccount, we'll take a snapshot of the database immediately and mark it with the date, time, and that it is a post-intrusion snapshot.
  • We'll use stored logs and activity logs to identify any and all data alterations.
  • We'll restore deleted data from pre-intrusion backups (if required).
  • We'll capture metadata (IP addresses, times, etc) of all access over the last 2 weeks.
  • We'll use the post-intrusion database snapshot to investigate all potential reasons for the breach.
  • We'll inform the affected user that their account was accessed by someone else. If a student account is compromised, we'll also inform their teacher.

Differentiated vocabulary for your students is just a click away.