CompTIA Security Plus Mock Test Q684

Which of the following is an example of a false positive?

A. Anti-virus identifies a benign application as malware.
B. A biometric iris scanner rejects an authorized user wearing a new contact lens.
C. A user account is locked out after the user mistypes the password too many times.
D. The IDS does not identify a buffer overflow.

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.
In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE – unsolicited bulk email, as junk email is more formally known. Messages that are
determined to be spam – whether correctly or incorrectly – may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail.
One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally
blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all.
False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and
ports. When activity varies outside of an acceptable range – for example, a remote application attempting to open a normally closed port — an intrusion may be in progress. However,
an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be
high.
False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.

Incorrect Answers:
B: If an authorized user is wearing a new contact lens, the biometric iris scanner would not recognize it and would correctly deny access. This is not a false positive.
C: If a user mistypes their password too many times and an account lockout policy is configured, the account would correctly be locked if the policy condition (number of failed login
attempts) is met. This is not a false positive.
D: If an IDS (intrusion detection system) does not identify a buffer overflow, this is not a false positive. A ‘positive’ result would be the IDS recognizing the buffer overflow. A false
positive would be the IDS identifying something as a buffer overflow when a buffer overflow doesn’t exist.

References:
http://whatis.techtarget.com/definition/false-positive