We hope everyone had a wonderful Easter weekend (or week of Passover) full of family, joy, and free of pesky security alerts.
After all, most security alerts are just noise and false positives, right?
That is what the company 3CX certainly thought when users started complaining about suspicious activity on their networks after installing the company's update to its desktop application.
As it turns out, though, the assumption of a false positive turned out to be… false.
“False positives” are the most commonly referred to as a type of issue classification, but it is actually only one of four different types.
Here is a quick breakdown of the four types:
False positive: Identifying an issue that isn't there.
True positive: Identifying an issue that is there.
False negative: Not identifying an issue that is there.
True negative: Not identifying an issue that isn't there.
Obviously, true positives are the ideal. Meanwhile, a false negative is a pentester's and security manager's worst nightmare - telling your client (or your executive team) that everything is dandy when it isn't.
Usually, that is the tradeoff though. By attempting to eliminate any risk of a false negative, you increase the risk of lots of false positives. And as 3CX learned, when you have too many false positives that you are constantly ignoring, then it is easy to also ignore a true positive.
In 3CX's defense, though, they didn't completely ignore the issue - they analyzed their app on VirusTotal, which gave them a clean bill of health - a false negative.
Tools and scanners tend to be the most common sources of false positives and false negatives. Like VirusTotal in the story of 3CX or vulnerability scanners.
This is why everything comes back to good processes and experienced professionals - not just tools. For good tools, configuration adjustments and clean inputs will clean up many false findings (positive or negative), but it always remains on the analyst or engineer to make the final determination.
So, as you write processes or configure alerts, always consider how a potential false positive or a false negative should be handled. The more prepared you are for each possibility, the less surprised you will be when tools end up being wrong.