Dealing with Misinformation During Security Assessments and Forensic Investigations

Information security professionals frequently encounter misinformation, especially while conducting security assessments and forensic investigations. These projects often involve interviewing clients or colleagues to learn about the IT infrastructure, security practices, data flows, and so on.

The Reality of Misinformation

Unfortunately, interview subjects don’t always provide accurate information. This is usually done without malice—the subjects might not know all the details and don’t want to look bad; or they might simply remember the details incorrectly. In some cases the subjects might have incentives to purposefully mislead the interviewer.

J. Andrew Valentine discussed this topic in his chapter in the book CyberForensics, where he advised memorizing and reciting a mantra such as:

"My job here is to help you. However, I cannot help you unless you tell me the truth."

He also highlighted the need to fact-check and validate information presented during interviews. I agree.

10 Tips for Spotting and Handling Misinformation

Here are my 10 tips for dealing with misinformation during security assessments and forensic investigations:

  • Remember that interview subjects might purposefully or inadvertently present you with incorrect information.
  • Watch out for “lies by omission,” which is another form of misinformation.
  • Look for discrepancies between the information provided by different subjects and also between what you heard and what you saw in documentation.
  • Ask similar questions several times, though not in direct sequence, watching out for the discrepancies in the answers you might receive.
  • Collect your own data to collaborate or refute what you heard during interviews. You may be unable to check all information, but spot-checks should be within the realm of possibility.
  • Consider whether it’s wise to directly confront the subject when you notice misinformation—this might create friction without helping your objectives
  • If you have the opportunity, give the people whom you’ll interview a chance to get to know you—if they feel comfortable with you, they might be more truthful.
  • Remind subjects that it’s very important for you to have accurate information to provide meaningful analysis.
  • Take notes of the answers, confirming with subjects what you heard them say to avoid concerns over incorrect recollection of the statements.
  • Keep in mind that sometimes people don’t realize that they are providing misinformation—they might be simply misinformed.

The problem of misinformation is common in other professions, including lawyers and doctors. Note to self: research how other professions deal with it.

Update: For additional thoughts along these lines, see Ed Moyle’s post Anticipate the Lies, Plan Accordingly.

For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.

Lenny Zeltser

Updated November 11, 2010
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more