When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned
about which of the following?
A.
Number of nonthreatening events identified as threatening
B.
Attacks not being identified by the system
C.
Reports/logs being produced by an automated tool
D.
Legitimate traffic being blocked by the system
Explanation:
Attacks not being identified by the system present a higher risk, because they are unknown and no
action will be taken to address the attack. Although the number of false-positives is a serious issue,
the problem will be known and can be corrected. Often, IDS reports are first analyzed by an
automated tool to eliminate known false-positives, which generally are not a problem. An IDS does
not block any traffic.