When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned
about which of the following?
Number of nonthreatening events identified as threatening
Attacks not being identified by the system
Reports/logs being produced by an automated tool
Legitimate traffic being blocked by the system
Attacks not being identified by the system present a higher risk, because they are unknown and no
action will be taken to address the attack. Although the number of false-positives is a serious issue,
the problem will be known and can be corrected. Often, IDS reports are first analyzed by an
automated tool to eliminate known false-positives, which generally are not a problem. An IDS does
not block any traffic.