What is false positive alarm what is false negative alarm from a security perspective which is less desirable and why?

In web application security, an ideal security system would correctly evaluate all incoming traffic. All legitimate traffic would be allowed, and all hostile traffic would be blocked.

In web application security, an ideal security system would correctly evaluate all incoming traffic. All legitimate traffic would be allowed, and all hostile traffic would be blocked.

Unfortunately, in the real world, errors sometimes occur. In threat identification, there are two types of errors: false positives and false negatives.

What Are False Negative Alarms?

A false negative occurs when the security system (usually a WAF) fails to identify a threat. It produces a “negative” outcome (meaning that no threat has been observed), even though a threat exists.

This is the opposite of a false positive alarm, where a system mistakenly identifies legitimate traffic as being hostile. Although false positives can be quite harmful, the consequences of false negatives can be even worse.

What Are the Consequences of a False Negative?

A failure to detect an API security attack often means that the attacker will be able to proceed without being hindered. Depending on the skills, persistence, and intentions of the attacker, this can result in anything from a mild inconvenience to a catastrophic system breach. The possible consequences include:

• Data theft: Large-scale data breaches can be disastrous. They can generate tremendous amounts of bad publicity, damage the organization’s reputation in the marketplace and among its  customers, create legal liabilities, and result in punitive fines from privacy regulators.
• Loss of intellectual property: A successful infiltration can result in the subsequent exfiltration of trade secrets and other intellectual property. Depending on the industry, this can ruin profit margins or even destroy a previous position of market leadership
• Ransomware: A successful system penetration can result in the attacker encrypting all its data, and refusing to release it unless a large ransom demand is paid. Ransomware attacks in healthcare are especially common, but this can be a problem in any industry.

How to Reduce False Negatives

Fortunately, there are some strategies that can reduce false negative alarms. 

False negatives tend to be produced by security systems that rely exclusively on a negative security model. Under this approach, the system allows all traffic to have access, unless the traffic matches a threat signature or is otherwise identifiable as being hostile. This means that attackers can be successful if they can conduct their attacks so that they do not match common threat patterns or signatures. 

This problem can be mitigated by adding an additional layer of positive API security, which makes it much more difficult for attackers to slip through the defenses. Under this approach, the system denies access to all requests except for those that match the characteristics of legitimate, desirable traffic.

Adding a layer of positive security usually requires the addition of a next-gen WAF to the system, since traditional WAFs tend to be based on a negative security approach. Depending on the solution that is chosen, other benefits can be available as well, such as advanced bot management, UEBA-based security, and more.

Christy YazzieChapter 7Review/ExercisesReview Questions2. How does a false positive alarm differ from a false negative alarm? From a securityperspective, which is less desirable?

Get answer to your question and much more

5. What I s a monitoring (Or SPAN) port? What is it used for?

Get answer to your question and much more

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 2 pages?

Upload your study docs or become a

Course Hero member to access this document

Tags

Chapter 7, Type I and type II errors, attack, False positive paradox, commercial IDPS systems, Christy Yazzie

Grant Brunier

unread,

Aug 22, 2010, 4:36:50 AM8/22/10

to SEC-0130 Summer 2010

1. What common security system is an IDPS most like? I what ways are
these systems similar?
a. The two systems often coexist, the combined term intrusion
detection/prevention system (IDPS). IDS works like a burglar alarm
in that it detects a violation and activates an alarm.

2. How does a false positive alarm differ from a false negative one?
From a security perspective, which is least desirable?
a. False positives tend to make users insensitive to alarms, and thus
reduce their reactivity to actual intrusion events. The false
positives seem to be the least desirable, A false positive can
sometimes be produced when and IDPS mistakes normal system activity
for an attack

Elma Hartunian

unread,

Sep 4, 2010, 12:08:52 PM9/4/10

to

Thanks Grant. Nice and easy way to define the IDSP. I appreciate your work

How does a false positive alarm differ from a false negative one from a security perspective which is least desirable?

What is the difference between false positive and false negative alarms?

What is false positive IDS alarm quizlet?

What is a false negative in computer security?