nerdexam
ExamsCAS-002Questions#125
CompTIA

CAS-002 · Question #125

CAS-002 Question #125: Real Exam Question with Answer & Explanation

The correct answer is D: No one was reviewing the IDS event logs.. The IDS correctly detected and logged the attack attempt, but no one reviewed or acted on the alert, which allowed the attacker to return a week later and successfully compromise the network.

Question

An intrusion detection system logged an attack attempt from a remote IP address. One week later, the attacker successfully compromised the network. Which of the following MOST likely occurred?

Options

  • AThe IDS generated too many false negatives.
  • BThe attack occurred after hours.
  • CThe IDS generated too many false positives.
  • DNo one was reviewing the IDS event logs.

Explanation

The IDS correctly detected and logged the attack attempt, but no one reviewed or acted on the alert, which allowed the attacker to return a week later and successfully compromise the network.

Common mistakes.

  • A. False negatives occur when an IDS fails to detect a real attack; this scenario explicitly states the IDS did log the attack attempt, which means false negatives were not the cause of the eventual compromise.
  • B. The time of the attack is irrelevant if logs are reviewed regularly - there is no indication in the scenario that after-hours monitoring gaps existed or contributed to the outcome.
  • C. False positives are benign events incorrectly flagged as malicious; the IDS accurately identified a real attack attempt, so alert fatigue from false positives is not supported by the scenario.

Concept tested. IDS alert monitoring and security event response process

Reference. https://csrc.nist.gov/publications/detail/sp/800-94/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice