Important Updates to MPA Best Practices You Don’t Want To Miss
Articles by: Richey May, Feb 19, 2020
While we’re still waiting on the MPA Content Security and MPA Member Companies to formalize the App & Cloud best practices, experienced assessors such as Richey May Technology Solutions can use the updated MPA Content Security Best Practices Common Guidelines to assess cloud native workflows in Microsoft Azure, Google’s Cloud Platform (GCP), and Amazon Web Services (AWS). In future posts, we will discuss how we help cloud native vendors pass their TPN Assessments with ease.
One of the most noticeable updates to the MPA Content Security Best Practices Common Guidelines is the re-branding from MPAA to MPA. The re-branding change has little impact on the actual assessment, however all documents have been updated with the new logo and name.
A noticeable theme change in the MPA Content Security Best Practices Common Guidelines relates to adoption of IP based security cameras. References to “CCTV systems” (e.g. MS-6.0) has been changed to “surveillance camera systems.” Again in PS-9.0, we see language change in the guidelines referencing analog CCTV or IP cameras as acceptable compared to the older wording around just analog CCTV systems.
In PS-9.2, additional restrictions around access to NVRs/DVRs was added to require:
- Restricting administrative access to the NVR/DVR from LAN only
- Enabling Multi-Factor Authentication (MFA) for access to the NVR/DVR when possible
- Camera footage to be stored locally unless client approves of cloud storage
- Disallowing access to the NVR/DVR from the content network
Two requirements were added/moved to MS-11.1 (Confidentiality Agreements):
- Mandating documenting/storing a history of terminated personnel for five (5) years at a minimum
- A formal reminder department personnel of their ongoing confidential and non-disclosure responsibilities.
The most substantial change MPA Content Security Best Practices Common Guidelines is one those of us in the M&E cybersecurity field have all been waiting for. The password policy requirements in DS-8.1 have finally been updated to align closer to NIST 800-63 and provide options for vendors to select.
An important point to keep in mind is that the new password requirements also impact password policies for any client portals. In DS-15.1, password requirements for client portals was removed and it now references best practices in DS-8.1. This means that not just local systems, but all applications, portals, etc. need to be updated to comply with the most recent password policies in DS-8.1.
Finally, the MPA Content Security Best Practices Common Guidelines made updates to the definition of Penetration Tests.
“Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability (source: NIST SP800-115).
Note: A vulnerability scan alone does not always suffice as a penetration test.”
If you have any questions about these changes, contact us!
MPA Content Security Best Practices Common Guidelines v4.05
MPA Content Security Best Practices Common Guidelines v4.05
Create a password policy that consists of the following:
Minimum password length of 8 characters
Minimum of 3 of the following parameters: upper case,
lower case, numeric, and special characters
Maximum password age of 90 days
Minimum password age of 1 day
Maximum invalid logon attempts of between 3 and 5
User accounts locked after invalid logon attempts must be
manually unlocked, and should not automatically unlock
after a certain amount of time has passed
Password history of ten previous passwords
A facility should opt to choose one or more of the following password policies (A to C, listed in
order of most preferred) for user accounts for employees, guests, contractors, and/or vendors:
A) Utilize multi-factor authentication (MFA) that uses a combination of two or more the
1. Something they know and only they know (e.g. password)
2. Something they have and only they have (e.g. soft or hard token)
3. Something they and only they are (e.g. biometrics)
B) Password policies that are able to demonstrate the implementation of all the following criteria
based on NIST 800-63b:
1. Password length is at least 12 characters
2. Passwords cannot contain common names or dictionary names (e.g. password1234,
companyname!, firstnamelastname1) and should be enforced via a password black list
3. Password lockout must occur after 5 invalid attempts and can be automatically locked
out after 1 minute
4. A manual password reset must require the password to be changed after the next
5. All passwords hashes are reviewed quarterly for weaknesses via password cracking
6. Hashes are run through cracking tools for a minimum of 24 hours
7. The password black list is updated quarterly
8. Passwords that are cracked must be added to the black list and changed within 30
C) Create a password policy that consists of the following:
1. Minimum password length of 12 characters
2. Minimum of 3 of the following parameters: upper case, lower case, numeric, and special
3. Maximum password age of 365 days
4. Minimum password age of 1 day
5. Maximum invalid logon attempts of between 3 and 5 attempts
6. User accounts locked after invalid logon attempts must be manually unlocked, and
should not automatically unlock after a certain amount of time has passed
7. Password history of ten previous passwords
D) Service accounts unable to comply with A) to C) should adhere to the following criteria at a
1. Restrict access to only what is needed for services
2. Minimum password length of 12 characters
3. Minimum of 3 of the following parameters: upper case, lower case, numeric, and
4. Maximum invalid logon attempts of between 3 and 5 attempts
5. Monitoring and alerts of the following activities via central logging:
i. Successful login
ii. Failed logon due to bad password or user name
iii. Failed logon due to account lockout
iv. Failed logon due to inadequate rights
v. Review of activity on a monthly basis
vi. Changing of passwords upon detection of suspicious activity
Consider the use of a Privileged Account Management (PAM) tool