TPN Assessments: MPA Penetration Testing Guidelines

Read More

The Trusted Partner Association, or TPN, represents a global industry-wide film and television content protection initiative designed with the intention of preventing leaks, breaches, and hacks of their customers’ movies and television shows ahead to their proposed release dates. In order to obtain and maintain TPN vendor status – which will represent a ‘seal of integrity’ within the MPA – Penetration Testing is no longer a suggestion but a necessary, annual practise and that is very good news for the film industry.

TPN Assessments: An Introduction

In 2018, The Motion Picture Association of America (MPA) teamed up with the Content Delivery & Security Association (CDSA) to introduce the Trusted Partner Network (TPN). Since that time, the TPN has put forth the security-geared MPA Best Practises, urging its members and vendors to align to a standard level of security as set out by the MPA – penetration testing of internal and external environments and web applications, on an annual basis, considered the minimum baseline. The hope and primary goal has been to prevent some, or ideally all, of the major leaks that have afflicted the industry for the last few decades, starting with the release of Napster in 1999.

Today, digital piracy continues to be a problem significantly impacting various stakeholders, including consumers, enterprise organizations, and, on the basis of financial impacts, entire countries. This ongoing global problem continues to impact media and content-oriented industries. By imposing MPA Best Practices on all vendors and members, TPN aims to set a single benchmark for minimum security preparedness for the entire industry.

Overall, the TPN program seeks to raise security awareness, preparedness, and capabilities within the film industry. While joining the TPN program is not mandatory, the driving intent behind getting involved in the program is in the vendors’ best interests – carrying the TPN logo will serve as a seal of trust towards doing business with involved parties.

How it Works

Once on board, all MPA vendors are required to hire a TPN approved assessor to carry out an initial audit of both their supply chain and best practices, which, ideally, should be in line with MPA best practices.

Selecting from one of several ‘Qualified Assessors’ from the TPN database, MPA vendors will schedule their assessment and manage the process through a secure online platform. Unless an assessment is carried out at the request of a content owner, vendors will cover all of their own costs. The TPN explains that, with respect to security preparedness, members of the scheme are not passed or failed, however, they will be expected to come up to snuff and prove that with a subsequent positive report from a TPN Accredited assessor.

MPA Best Practices: Common Guidelines

Published as implementation guidance for best practices set out by MPA – penetration testing and vulnerability scanning may just be the best imposed media safeguard the film industry since July of 2001, when Napster was shut down by a federal judge. By raising and setting the bar for not only its member companies, but all involved production vendors, the MPA, through the TPN program has raised security expectations across the industry.

That being said, with 98 pages of MPA Best Practices to review, voluntary compliance starts to make more sense. Fortunately, Packetlabs services are very much in alignment with the expectations laid out in the guidelines. Below, we have described several Packetlabs services that can get your organization started ticking off those boxes.

Penetration Testing

In line with our own beliefs, MPA penetration testing requirements are outlined with a minimum expectation of annual testing across external IP ranges and hosts, as well as all web applications. Further, also in line with Packetlabs’ beliefs, all MPA Penetration testing activities are to be performed by a third-party vendor. While this may, at first, seem like a shameless plug, third-party contractors come with several crucial benefits including a complete absence of internal bias and peace of mind, recognizing that a job is always performed more accurately and effectively when conducted by industry experts who perform these activities daily.

For convenience, we’ve included a summary excerpt of all instances involving MPA Penetration Testing Requirements:

  • Per MS-2.1, Risk Management, conduct external and internal network vulnerability scans and external penetration testing, per DS-1.8 and DS-1.9. (Page 8)

  • Per DS-1.9, Firewall / WAN / Perimeter Security, perform on at least an annual basis, penetration testing of all external IP ranges and hosts and remediate issues. (Page 45)

  • Per DS-15.9, Client Portal, perform annual penetration testing of web applications and remediate any validated issues. (Page 78) *

*Note: Testing should be performed by an independent third party.

In addition to annual MPA Penetration Testing Practices, it is always recommended to run a complete penetration test after any and all significant changes. While monthly vulnerability assessments can be a great way to identify missing patches, for example, a full penetration test is always required after all changes.

Vulnerability Scanning

In line with Packetlabs’ recommendations, in addition to annual MPA Penetration Testing practices, monthly vulnerability scans are a wise and cost-effective means to stay on top of security. You’ll note that in a few positions of TPN’s MPS Best Practices document it’s highlighted (Page 83 and 85) that a vulnerability is not the same as penetration test, in fact, they are much different from both a value and effort standpoint. For some more insight, please review our blog: What is the difference between a VA scan and a pentest?

For convenience, we’ve included a summary excerpt of all instances involving MPA Vulnerability Scanning Requirements:

  • Per MS-2.1, Risk Management, conduct external and internal network vulnerability scans and external penetration testing, per DS-1.8 and DS-1.9. (Page 8)

  • Per DS-1.8, Firewall / WAN / Perimeter Security, perform on at least a monthly basis network vulnerability scans of all external IP ranges and hosts and remediate issues. If applicable, the scope of external scans should include any cloud deployments. (Note: Consider having this performed by an independent third-party.) * (Page 45)

  • Per DS-3.9, LAN / Internal Network, conduct internal network vulnerability scans and remediate any issues, at least annually. (Page 53)

While the document suggests to “consider having this performed by an independent third-party”, we’d point out that based on the cost of such tools, and skills involved, quite often it is more cost effective to use a third-party vendor. As in the case of MPA Penetration Testing, the benefits of using a third-party vendor significantly outweigh the risks, from a security and compliance standpoint.

Physical Security

In addition to MPA Penetration Testing and Vulnerability Scanning requirements, the MPA Best Practices document outline numerous implementation guidelines for physical security. Proficient in objective-based penetration testing, our services also include numerous physical security checks, including tailgating and card cloning allowing a more holistic approach to information (or content) security. As outlined in previous Packetlabs blogs, rogue cleaners or flight risk employees are often involved when an internal threat source is involved.

For particular reference, the MPA Best Practices document outlines physical security in sections PS-1.0 through PS-11.9 (Pages 21 to 41)

Policies & Procedures

Lastly, throughout the MPA Best Practices documentation, all sections including management system, physical security and digital security, particularly MS-4.0, there are strict guidelines regarding policies and procedures. Although many organizations would love to claim their security program is well-managed, upon close examination there is almost always room for improvement.

Our Security Maturity Assessments are geared towards helping your organization build and define a comprehensive set of people, processes and technologies. Depending on individual client requirements, we can assess an entire security program or specific security domains. We calibrate our recommendations against the maturity level of the organization in each specific area. Finally, we weave our recommendations together into a comprehensive security roadmap designed to optimize each client’s future efforts and investments.

If you would like to learn more about Packetlabs Services and how we can help you through the process of MPA Penetration Testing activities or any other services we can deliver on, please do not hesitate to contact us!

Featured Posts

See All

- Blog

London Drugs Gets Cracked By LockBit: Sensitive Employee Data Taken

In April 2024, London Drugs faced a ransomware crisis at the hands of LockBit hackers, resulting in theft of corporate files and employee records, and causing operational shutdowns across Canada.

- Blog

Q-Day And Harvest-Now-Decrypt-Later (HNDL) Attacks

Prime your knowledge about post-quantum encryption and risks it creates today via Harvest-Now-Decrypt-Later (HNDL) attacks.

- Blog

The Price vs. Cost of Dark Web Monitoring

Learn more about the price vs. cost of Dark Web Monitoring in 2024, as well as the launch of Packetlabs' Dark Web Investigators.