Your company has an intrusion detection system (IDS) monitoring traffic between the Internet and the company's internal network. The IDS logged an attack attempt from a remote IP address. Two months later, the attacker successfully compromised the network. Which of the following MOST likely occurred?

A. The IDS generated too many false negatives.
B. No one was reviewing the IDS event logs.
C. The IDS generated too many false positives.
D. The attack occurred during off hours or a holiday.

---

B
Explanation: It is most likely that no one was reviewing the IDS event logs. If those logs were reviewed on a regular basis, someone would have noticed the attack attempt and would have taken measures to prevent the attack in the future.
This problem was not because the IDS generated too many false negatives or false positives. False positives or false alarms occur when an IDS incorrectly identifies certain traffic as an attack attempt. False positives occur when an IDS incorrectly identifies certain traffic as normal or acceptable. If an IDS returns false positives or false negatives, the IDS administrator can take actions that will allow the IDS to correctly identify that traffic in the future. However, this would not have caused the problem in the scenario.
If the attack occurred during off hours or a holiday, the attack would still have been prevented if the appropriate measures were taken to prevent the attack after the initial attack attempt occurred.