[CCCure CISSP] Doubt relating to IDS threshold

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Doubt relating to IDS threshold

Amlan Deb
Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company’s
behavior-based IDS. Which of the following outlines the possibilities of not
doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too high, then malicious
activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
 
Thanks,
Amlan

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org