Mary Braunwarth

Mary Braunwarth is a trusted advisor working with Fortune® 500 organizations on decreasing their operational risk while increasing their security posture. Mary focuses on improving her clients’ security maturity by scaling and operationalizing their security testing and vulnerability management programs. Prior to NetSPI, Mary held leadership positions at Digital River and Rackspace and has multiple patents for digital marketing and asset management technologies.
More by Mary Braunwarth
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "62"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "62"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "62"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "62"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "62"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "62"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "62"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "62"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{11ba4ebd3dfa1bcca8e3fb7a8ea1ffad8e302e0f0f965aded57280e63cf44cfb}\"62\"{11ba4ebd3dfa1bcca8e3fb7a8ea1ffad8e302e0f0f965aded57280e63cf44cfb}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{11ba4ebd3dfa1bcca8e3fb7a8ea1ffad8e302e0f0f965aded57280e63cf44cfb}\"62\"{11ba4ebd3dfa1bcca8e3fb7a8ea1ffad8e302e0f0f965aded57280e63cf44cfb}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 25277
                    [post_author] => 62
                    [post_date] => 2021-05-04 07:00:00
                    [post_date_gmt] => 2021-05-04 07:00:00
                    [post_content] => 

Choosing the best pentesting company for your organization is not a simple decision given the hundreds of providers vying for your business, each offering varying levels of expertise, testing methodologies, and technologies to perform penetration tests.

To help you identify the best penetration testing companies for your needs, it is important to ask the right questions. To get started, here are 10 essential questions to ask potential pentesting companies during the RFP process – and what to look for in their responses.

  1. Are your resources contracted resources?  If not, what are your hiring practices?  
    Ask this question to understand how a company sources its pentesters, project managers, and other day-to-day practitioners working on your assessment. Would you prefer working with a team that works together often or a team of outsourced experts? The answer should also provide insight into the effort an employer puts into finding the best talent. It is especially necessary for you to understand how the company trains and ensures the resources have the expertise needed for your testing.
  1. Which regulatory bodies and compliance frameworks does my organization need to be aware of?
    Test the industry knowledge of the pentest companies you are evaluating. Learn how well they understand the external pressures your organization is facing and the additional expertise they can bring to the table.
  1. Can you share a breakdown of the tool-based vs. manual effort that goes into a typical penetration testing engagement?
    Find the right balance between automated scanning and manual testing based on the requirements of your organization. The answer should also reveal the company’s testing methodology and give you an understanding of the vulnerability management tools they use. Remember, to find critical business logic vulnerabilities, manual testing is required. 
  1. How do you ensure your team is up to date on the latest certifications and training? 
    The answer to this question will be an indicator of how much the company values its employees continued education and advancement. A company that strives for innovation will have a long list of processes, checklists, peer reviews, and more. Beyond external trainings and certifications, be sure to ask about the technology the organization is leveraging to ensure that the product of an assessment isn’t directly related to the tenure of the individual assessor. 
  1. How do you ensure return on investment (ROI) from each engagement?
    Ensure your testing partner is maximizing your investments to find business impactful vulnerabilities, not focusing on administrative tasks. ROI for security initiatives can be difficult to measure - and pentesting is no exception. Pentest efficiency is a great place to start. Ask the prospective companies how they reduce or eliminate the administrative burden of de-duplication and vulnerability tracking, how they enable multiple testers to work simultaneously, and learn about the automated processes they have in place to enable their pentesters to perform a test efficiently and thoroughly.
  1. How do you contribute to the greater security community?
    Instead of asking an organization to, “Describe your culture” ask this question. Explore the various ways a pentest company participates in the security community to gauge its drive to innovate. Review its open source tools, GitHub repository, public trainings, conference participation, community involvement, and more. This will specifically ensure their mission/vision statement is actually being delivered in their day-to-day efforts. 
  1. What do you consider your specific focus areas?
    A straightforward question that can reveal a lot about a pentest company. Which types of pentesting (application, infrastructure, cloud, mobile, red teaming, etc.) are they hired for most? Do they have specific industry niches What types of companies do they work with and in what industries? Which technologies enable their services?
  1. How do you ensure consistency and repeatability across all engagements? 
    Consistency is key in penetration testing. How can you ensure that your results don’t vary by tester? In this response, look for how they maintain centralized communication, repeatable processes, validate vulnerabilities, and track the progress of each test.
  1. How do you plan to grow with my organization over time? 
    Maintaining a relationship with one pentest company over time has its benefits, but only if that company can scale with your business. Talk about the plans for your organization and learn how each company can support you at every part of your growth journey. 
  1. What areas are not addressed within this RFP?
    A key benefit of working with a third-party penetration testing company is that it should be able to look at your security program holistically. Ask this question to explore other possible areas of risk and, as a bonus, learn how the company delivers its recommendations.
Download our 4-part guide: How to Choose the Best Penetration Testing Company
[post_title] => 10 Questions to Ask Penetration Testing Companies Before You Buy [post_excerpt] => For help choosing the best pentest company for your organization, check out these 10 questions to ask during the RFP process. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 10-questions-ask-best-penetration-testing-companies [to_ping] => [pinged] => [post_modified] => 2021-05-06 10:31:40 [post_modified_gmt] => 2021-05-06 10:31:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25277 [menu_order] => 46 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 21265 [post_author] => 62 [post_date] => 2021-02-09 07:00:58 [post_date_gmt] => 2021-02-09 07:00:58 [post_content] =>

On February 9, 2021, NetSPI's VP of Strategic Accounts Mary Braunwarth was featured in SC Magazine:

Security leaders, especially in highly regulated industries, are overwhelmed because their security decisions solely comply with audit and regulatory frameworks.

Many have to comply with HIPAA for healthcare, PCI DSS for credit card handling, and the Office of the Controller of the Currency and FDIC for financial services, leaving security teams fatigued and unable to innovate. Over time, their strategy mirrors their organization’s regulatory and compliance demands. This impacts the maturity of security programs and exponentially increases an organization’s risk, making it susceptible to cyberattacks and even nominal regulatory fines. For example, the Citibank incident, in which Citibank was fined $400 million for falling short in its regulatory-driven risk management processes.

Over the years, I’ve observed that security leaders lose control of their programs because they try to meet the ever-growing demands of regulators, line of business, expanding attack surface, and third parties – the list goes on. It’s critical for security leaders to drive an organization’s security strategy – not the second line of defense (risk management) nor the third line (auditors), nor regulators. After all, it’s the security leaders who inform executives and board members of the risk to critical information assets and how to manage it – and whose jobs are on the line.

My recommendation? Security leaders should pivot from their institutionalized regulatory and audit-driven security programs to one that focuses on both risk and compliance.

Read the full article here: https://www.scmagazine.com/perspectives/rethink-your-cybersecurity-resiliency-using-a-risk-based-strategy/

[post_title] => SC Magazine: Rethink your cybersecurity resiliency using a risk-based strategy [post_excerpt] => On February 9, 2021, NetSPI's VP of Strategic Accounts Mary Braunwarth was featured in SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-rethink-your-cybersecurity-resiliency-using-a-risk-based-strategy [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:03 [post_modified_gmt] => 2021-04-14 05:28:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21265 [menu_order] => 66 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 13859 [post_author] => 62 [post_date] => 2019-11-01 07:00:58 [post_date_gmt] => 2019-11-01 07:00:58 [post_content] =>

The Situation

In a report published by consulting firm West Monroe Partners, 40 percent of acquiring businesses said they discovered a high-risk security problem at an acquisition after a deal went through. With this in mind, executive management at one of America’s largest banks wanted to ensure that one of their subsidiaries wasn’t suffering from similar security control gaps. In addition, the bank wanted to understand if identified security gaps could be leveraged to gain unauthorized access to the subsidiary’s networks and resources. To answer those questions, and report on the subsidiary’s responsiveness to real-life attack scenarios, the bank hired NetSPI to conduct a red team operation.

The Approach

During some red team operations, clients provide information to save time, such as employee names, reporting structures, policy details, or system targets. In this instance, the test was conducted using a black box approach, meaning no information was provided by the client. Despite this handicap, NetSPI would put the bank’s newly merged digital infrastructure to the test by attempting to achieve and maintain unauthorized network access via both technical testing methods and social engineering. The bank wanted to know if system, services, or employee identification processes were vulnerable. If so, they wanted NetSPI to exploit those vulnerabilities in order to gain access to critical resources owned by the subsidiary. They also wanted to know if any operating systems or applications were creating immediate risk and if the security controls that were deployed could be bypassed? NetSPI would find out.

The team began by conducting a significant amount of reconnaissance, learning the names of some employees and identifying their email addresses and phone numbers. Armed with this information, NetSPI initiated a targeted social engineering attack. A robo-caller was used to spoof the bank’s voice mail system, asking a targeted employee to verify their identity with their username and password. This tactic was successful in gaining an employee’s username and password. Having successfully obtained the necessary credentials, the next step was to impersonate the employee in an attempt to obtain access to the corporate Virtual Private Network (VPN).

At A Glance

Client

One of the largest U.S. financial institutions offering a comprehensive range of financial services nationwide.

Challenge

Conduct a black box red team assessment to identify weaknesses in network security, policies and procedures.

Approach

Using social engineering and technical testing methods to gain credentials, access the network and escalate privileges.

Results

Security practices and procedures have been strengthened, significantly improving the bank’s overall security posture.

  1. “Cybersecurity Due Diligence in M&A”, West Monroe Partners, July 12, 2016.

A NetSPI red team member, acting as the targeted employee, called the bank’s IT help desk and stated they were having trouble connecting to corporate network over the VPN. The help desk provided the NetSPI team member with the information below without verifying the caller’s identity beyond asking for their username, which had been obtained using the robo-caller:

  • A link where the VPN client could be downloaded.
  • Installation instructions for the VPN client
  • A one-time token that could be used for the VPN Multi-Factor Authentication (MFA) process, which was sent to a non-corporate email address controlled by the NetSPI red team member.

Now, with remote access to the target network and Active Directory domain credentials in hand, NetSPI started examining the environment for privilege escalation paths. It wasn’t long before a critical discovery was made: a Microsoft Windows server had been left unpatched, enabling the team to exploit the EternalBlue vulnerability. NetSPI then exploited this vulnerability to gain a foothold on the domain system and continue escalation towards establish targets. This foot hold was maintained for multiple days, and the MFA token used to access the network over VPN was reused multiple times. This shined some light on a gap between the bank’s policy that mandates a one-time VPN token to expire after 24 hours and the reality of the subsidiaries implementation.

After multiple days, the bank’s internal IT staff identified that there was an unauthorized user on the network and their Incident Response team was dispatched to confiscate the targeted employee’s compromised laptop. At this point, the bank personnel in the know, revealed to all necessary parties that the bank had engaged NetSPI to conduct a red team assessment. A conference call was quickly held to begin the deconfliction process to ensure that the bank had indeed discovered NetSPI’s activities and not that of an actual attacker. The bank and NetSPI were able to confirm that the red team breach had been discovered. The bank elected to end the engagement and NetSPI moved on to the reporting phase which resulted in a deliverable that contained both the overall narrative of the engagement as well as detailed writeups for all discovered vulnerabilities and weaknesses.

The Results

After the deconfliction process, internal teams worked with NetSPI to understand the attack path and technical testing leveraged throughout the engagement. The bank then took this information and built a remediation plan to address the deficiencies. For example, the off-the-shelf network detection software the bank had installed performed poorly, even though evidence of a network intrusion was captured in the log files. Because the software had not been properly tuned to the environment, alarms were not being triggered even though intrusion had been detected. This has now been remedied along with large improvements to their vulnerability management practices.

In addition, the findings of the assessment resulted in additional funding being made available to address the problem areas highlighted in the final report. A special focus was made on security awareness training for employees, adherence to employee identification and verification practices used by the help desk staff to make them more aware of malicious actors.

To verify the remediation activities were successful at the bank, NetSPI performed additional round of technical testing to verify the identified vulnerabilities were remediated.

[post_title] => Leading Financial Institution Leveraged NetSPI Red Team Service to Improve Their Security Posture [post_excerpt] => In a report published by consulting firm West Monroe Partners, 40 percent of acquiring businesses said they discovered a high-risk security problem at an acquisition after a deal went through. [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => leading-financial-institution-leveraged-netspi-red-team-service-to-improve-their-security-posture [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:32 [post_modified_gmt] => 2021-04-14 00:56:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=13859 [menu_order] => 188 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 25277 [post_author] => 62 [post_date] => 2021-05-04 07:00:00 [post_date_gmt] => 2021-05-04 07:00:00 [post_content] =>

Choosing the best pentesting company for your organization is not a simple decision given the hundreds of providers vying for your business, each offering varying levels of expertise, testing methodologies, and technologies to perform penetration tests.

To help you identify the best penetration testing companies for your needs, it is important to ask the right questions. To get started, here are 10 essential questions to ask potential pentesting companies during the RFP process – and what to look for in their responses.

  1. Are your resources contracted resources?  If not, what are your hiring practices?  
    Ask this question to understand how a company sources its pentesters, project managers, and other day-to-day practitioners working on your assessment. Would you prefer working with a team that works together often or a team of outsourced experts? The answer should also provide insight into the effort an employer puts into finding the best talent. It is especially necessary for you to understand how the company trains and ensures the resources have the expertise needed for your testing.
  1. Which regulatory bodies and compliance frameworks does my organization need to be aware of?
    Test the industry knowledge of the pentest companies you are evaluating. Learn how well they understand the external pressures your organization is facing and the additional expertise they can bring to the table.
  1. Can you share a breakdown of the tool-based vs. manual effort that goes into a typical penetration testing engagement?
    Find the right balance between automated scanning and manual testing based on the requirements of your organization. The answer should also reveal the company’s testing methodology and give you an understanding of the vulnerability management tools they use. Remember, to find critical business logic vulnerabilities, manual testing is required. 
  1. How do you ensure your team is up to date on the latest certifications and training? 
    The answer to this question will be an indicator of how much the company values its employees continued education and advancement. A company that strives for innovation will have a long list of processes, checklists, peer reviews, and more. Beyond external trainings and certifications, be sure to ask about the technology the organization is leveraging to ensure that the product of an assessment isn’t directly related to the tenure of the individual assessor. 
  1. How do you ensure return on investment (ROI) from each engagement?
    Ensure your testing partner is maximizing your investments to find business impactful vulnerabilities, not focusing on administrative tasks. ROI for security initiatives can be difficult to measure - and pentesting is no exception. Pentest efficiency is a great place to start. Ask the prospective companies how they reduce or eliminate the administrative burden of de-duplication and vulnerability tracking, how they enable multiple testers to work simultaneously, and learn about the automated processes they have in place to enable their pentesters to perform a test efficiently and thoroughly.
  1. How do you contribute to the greater security community?
    Instead of asking an organization to, “Describe your culture” ask this question. Explore the various ways a pentest company participates in the security community to gauge its drive to innovate. Review its open source tools, GitHub repository, public trainings, conference participation, community involvement, and more. This will specifically ensure their mission/vision statement is actually being delivered in their day-to-day efforts. 
  1. What do you consider your specific focus areas?
    A straightforward question that can reveal a lot about a pentest company. Which types of pentesting (application, infrastructure, cloud, mobile, red teaming, etc.) are they hired for most? Do they have specific industry niches What types of companies do they work with and in what industries? Which technologies enable their services?
  1. How do you ensure consistency and repeatability across all engagements? 
    Consistency is key in penetration testing. How can you ensure that your results don’t vary by tester? In this response, look for how they maintain centralized communication, repeatable processes, validate vulnerabilities, and track the progress of each test.
  1. How do you plan to grow with my organization over time? 
    Maintaining a relationship with one pentest company over time has its benefits, but only if that company can scale with your business. Talk about the plans for your organization and learn how each company can support you at every part of your growth journey. 
  1. What areas are not addressed within this RFP?
    A key benefit of working with a third-party penetration testing company is that it should be able to look at your security program holistically. Ask this question to explore other possible areas of risk and, as a bonus, learn how the company delivers its recommendations.
Download our 4-part guide: How to Choose the Best Penetration Testing Company
[post_title] => 10 Questions to Ask Penetration Testing Companies Before You Buy [post_excerpt] => For help choosing the best pentest company for your organization, check out these 10 questions to ask during the RFP process. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 10-questions-ask-best-penetration-testing-companies [to_ping] => [pinged] => [post_modified] => 2021-05-06 10:31:40 [post_modified_gmt] => 2021-05-06 10:31:40 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25277 [menu_order] => 46 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 3 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => fb5ec42938648dc07c0e1cf406b3feba [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.

X