Motion Picture Association Updates Cybersecurity Best Practices

The motion picture industry is a high-profile, multi-billion industry that has been targeted by sophisticated cybercrime organizations including, allegedly, nation-state actors.

Like so many other industries, motion pictures rely heavily on digital technology, and not just for animated films. While a few filmmakers (such as Steven Spielberg) insist on using actual film, the vast majority of today’s “films” are actually filmless. Not only are they recorded digitally, but the entire filmmaking process from script writing and editing to filming, editing, post-production is done digitally, as is distribution and promotion.

In addition to the usual cyberthreats that concern businesses — cyberattacks such as ransomware, DDoS, phishing, zero-day exploits, supply-chain attacks — the movies that are the very products of the industry can be exfiltrated in a cyberattack. This is not just a theoretical problem; high-profile hacks have resulted in significant financial loss for major film industry players.

Motion Picture Industry Cybersecurity Breaches

The most notorious industry breach was the 2014 attack on Sony Pictures, widely believed to have been orchestrated by a nation-state government (although they deny any connection). Sony suffered almost every possible ill effect of a cyberattack. They lost employees’ personal information, emails, executive salary data, copies of unreleased films, future plans — the works.

The attackers, a group calling themselves “Guardians of the Peace,” leaked the information stolen from Sony and used malware to disable Sony’s digital infrastructure. The hackers demanded that Sony cancel the planned release of The Interview, a film centering on a plot to assassinate North Korean dictator Kim Jung-un.

The US Department of Justice formally charged a North Korean citizen, who was employed by the country’s equivalent of the CIA, with the attack.

In 2015, Sony took a charge of $15 million for direct costs related to the attack. Damage to their reputation and to their employees’ privacy is harder to quantify, even to this day.

HBO was hacked in 2017; the cyberthieves stole unreleased episodes of the blockbuster show Game of Thrones. The leak of the episodes not only hurt HBO revenues, it had downstream impact on companies HBO collaborates with as well.

A post-production company working on Orange is the New Black was hit with a ransomware attack and 10 unaired episodes of the show were stolen from Netflix.

Motion Picture Association Cybersecurity Best Practices

The Motion Picture Association (MPA), the industry trade group representing the five major studios plus Netflix, has been managing security assessments on behalf of its members for over three decades, reflecting their commitment to helping them secure their content across production, post-production, marketing and distribution.

One of the many ways the MPA supports its members is with detailed recommendations for cybersecurity best practices for film industry players. Over time, these recommendations have become the industry baseline for ensuring that intellectual property and private data will be protected from leakage and theft, throughout the development process.

The MPA recently issued version is 5.2 of their Content Security Best Practices, a significant update that addresses the challenges inherent in the move to the cloud and to remote work.

What’s New in MPA Best Practices?

With the advent of Web 2.0, starting almost two decades ago, the internet became vastly more useful to film industry artists, as well as much riskier for them to use. Useful, since as the reservoir of available images and sound and video clips grew animation, CGI and sound artists came to increasingly value them as models and inspiration for their work. Risky, because with the click of a link, valuable IP can be shared, stolen or otherwise exposed — inadvertently (or less often, maliciously) by an employee or as a result of cyberattacks, which are almost always initiated via the web.

To mitigate the risk, MPA guidelines stipulated that workstations must be separated from the internet. To provide artists with the internet content they need, request-fulfillment processes were created that entailed provisioning separate, internet-connected computers to enable artists to find the web content they need, dedicated staff in a secure location, whose sole task was to download and check that the content was safe, and media on which the content could be passed to the artist. The costs of this process, in terms of equipment, manpower and especially time spent were huge.

Version 4.09 of the MPA Best Practices Guidelines included remote browser isolation solutions, like Ericom Web Isolation, as a more efficient, cost-effective alternative for safeguarding valuable studio IP from the risks posed by internet connectivity — malware attacks as well as content loss. By necessity, 4.10 of the MPA Best Practice Guidelines, which were issued almost a year following the start of pandemic-related closures, dealt extensively with securing film industry content when artists were working remotely and/or from home.

Now, with version 5.2, the MPA has basically accepted the premise that where work happens is largely immaterial, and that content on any device, located anywhere, must be secured. In this new version, some guidelines have become more nuanced, and some have become stricter.

Examples of recommendations that have become more nuanced:

• Earlier versions of the MPA best practices prohibited systems that process or store digital content from having direct internet access. In the event a business case required such access it must be done via isolation. The new version instead prohibits directly accessing “unauthorized” sites, resources, or services, placing greater emphasis on web filtering and access controls.
• The earlier version called for restricting content from being transferred to or from the system. The new version instead restricts particular types of content from being transferred and calls for DNS filtering.
• Similarly, the old version called for blocking download/upload, and copy and paste to an internet gateway from a production system, now the restrictions apply to unauthorized sites.
• And in similar vein, the 30MB limit on file transfer size has been dropped.

Examples of things that have gotten stricter:

• The earlier version prohibits access to restricted or malicious sites. The current version limits access to authorized sites. In other words, they have switched from a “blocklist” approach to an “allowlist” approach, substantially reducing the number of sites a user can access.
• Instead of blocking access to specific file types, access to all executable files is now prohibited.
• The new version prohibits direct email access – requiring email to go through isolation is the best way to protect against email-initiated threats.

Both the earlier version and the current version call for the use of Remote Browser Isolation as an integral component to protecting the network. The new version also talks about the need to take precautions with user-owned devices (Bring Your Own Device, or BYOD). The guidelines call for email filtering, endpoint protection, patching, and similar protections against cyber risk. A more secure alternative to those practices is to rely on Web Application Isolation, which can protect mission-critical applications from malware on user devices by air gapping the application and data from the user, in a reverse form of browser isolation.

Conclusion

Companies in the motion picture industry are desirable targets for cyberthieves. The leading industry association recommends extensive use of isolation as a way to protect against many different kinds of cyberthreats. Check out our quick reference chart, summarizing how Ericom web security solutions can help your studio comply with MPA Best Practice Guidelines. And contact us today to learn why leading studios have been switching to Ericom for RBI.

---

Share this on:

---

About James Lui

Ericom Software Group CTO, Americas