CAS-001 Question #298: Real Exam Question with Answer & Explanation

The correct answer is D: No one was reviewing the IDS event logs.. The scenario explicitly states that the IDS DID detect and log the initial attack attempt - meaning the IDS was functioning correctly. The failure occurred in the human process: no one reviewed the IDS logs and acted on the alert. Had someone reviewed the logs, the source IP coul

Question

An intrusion detection system logged an attack attempt from a remote IP address. One week later, the attacker successfully compromised the network. Which of the following MOST likely occurred?

Options

AThe IDS generated too many false negatives.
BThe attack occurred after hours.
CThe IDS generated too many false positives.
DNo one was reviewing the IDS event logs.

Explanation

The scenario explicitly states that the IDS DID detect and log the initial attack attempt - meaning the IDS was functioning correctly. The failure occurred in the human process: no one reviewed the IDS logs and acted on the alert. Had someone reviewed the logs, the source IP could have been blocked, the vulnerability patched, or an investigation launched before the attacker succeeded one week later. Option A (too many false negatives) is wrong because the IDS correctly detected the attack - it did not miss it. Option B (after hours) does not explain why a logged alert was not investigated over an entire week. Option C (too many false positives) describes alert fatigue where real alerts are ignored amid noise - possible, but the most direct and likely explanation given the facts is simply that no one reviewed the logs.

Community Discussion

No community discussion yet for this question.

Full CAS-001 Practice