Dealing with Misinformation During Security Assessments and Forensic Investigations

Information security professionals frequently encounter misinformation, especially while conducting security assessments and forensic investigations. These projects often involve interviewing clients or colleagues to learn about the IT infrastructure, security practices, data flows, and so on.

The Reality of Misinformation

Unfortunately, interview subjects don’t always provide accurate information. This is usually done without malice—the subjects might not know all the details and don’t want to look bad; or they might simply remember the details incorrectly. In some cases the subjects might have incentives to purposefully mislead the interviewer.

J. Andrew Valentine discussed this topic in his chapter in the book CyberForensics, where he advised memorizing and reciting a mantra such as:

“My job here is to help you. However, I cannot help you unless you tell me the truth.”

He also highlighted the need to fact-check and validate information presented during interviews. I agree.

10 Tips for Spotting and Handling Misinformation

Here are my 10 tips for dealing with misinformation during security assessments and forensic investigations:

  • Remember that interview subjects might purposefully or inadvertently present you with incorrect information.
  • Watch out for “lies by omission,” which is another form of misinformation.
  • Look for discrepancies between the information provided by different subjects and also between what you heard and what you saw in documentation.
  • Ask similar questions several times, though not in direct sequence, watching out for the discrepancies in the answers you might receive.
  • Collect your own data to collaborate or refute what you heard during interviews. You may be unable to check all information, but spot-checks should be within the realm of possibility.
  • Consider whether it’s wise to directly confront the subject when you notice misinformation—this might create friction without helping your objectives
  • If you have the opportunity, give the people whom you’ll interview a chance to get to know you—if they feel comfortable with you, they might be more truthful.
  • Remind subjects that it’s very important for you to have accurate information to provide meaningful analysis.
  • Take notes of the answers, confirming with subjects what you heard them say to avoid concerns over incorrect recollection of the statements.
  • Keep in mind that sometimes people don’t realize that they are providing misinformation—they might be simply misinformed.

The problem of misinformation is common in other professions, including lawyers and doctors. Note to self: research how other professions deal with it.

Update: For additional thoughts along these lines, see Ed Moyle’s post Anticipate the Lies, Plan Accordingly.

For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more