CAS-005 · Question #330
CAS-005 Question #330: Real Exam Question with Answer & Explanation
The correct answer is B: Classify the incident as a false negative.. A false negative occurs when a threat or security event happens but fails to trigger an alert, leading to undetected malicious activity. In this case, the security analyst has confirmed that an unauthorized USB device was used, which violates policy. However, since the event did
Question
A security analyst is investigating a possible insider threat incident that involves the use of an unauthorized USB from a shared account to exfiltrate data. The event did not create an alert. The analyst has confirmed the USB hardware ID is not on the device allow list, but has not yet confirmed the owner of the USB device. Which of the following actions should the analyst take next?
Options
- AClassify the incident as a false positive.
- BClassify the incident as a false negative.
- CClassify the incident as a true positive.
- DClassify the incident as a true negative.
Explanation
A false negative occurs when a threat or security event happens but fails to trigger an alert, leading to undetected malicious activity. In this case, the security analyst has confirmed that an unauthorized USB device was used, which violates policy. However, since the event did not generate an alert despite being an unauthorized action, it indicates a failure in the detection system to identify the threat.
Community Discussion
No community discussion yet for this question.