Free Book - External Exposure & Attack Surface Management for Dummies
A false positive is an alert that a detective and protection software generates when legitimate activity is classified as an attack. This may not seem as harmful as a false negative, but it can be detrimental in the long term. In the short term, it can result in a website, file, or item being quarantined, blocked, or deleted and in the long term lead to alert fatigue and ignoring alarms. Like “The Boy Who Cried Wolf”, the problem is liars are not believed even when they speak the truth.
False positives can also occur easily in attack surface management when assets are incorrectly attributed to an attack surface. In these cases it’s important to have a facility for vetting these and excluding them from future assessments.
A false negative occurs when a cyber threat or attack passes through scanning and protection software undetected. There are a number of reasons a false negative happens: the attack is dormant, it is a highly sophisticated file-less threat or one capable of lateral movement, or the security infrastructure lacks the technological capabilities to detect the attack.
False negatives are serious security threats capable of evading technologies like next-gen firewalls, antivirus software, and EDR platforms looking for “known” attacks, and malware.
False negatives can also occur easily in attack surface management when assets that should be tested are not found in or are incorrectly excluded from the attack surface.