After a scan, you discover many false positives. What should you do first?

A.  Disable the scanner

B.  Update the scanner's database

C.  Perform a penetration test

D.  Reconfigure the network firewall

Correct Answer: B

Explanation:

A. Disable the Scanner
Disabling a security tool because it is providing imperfect data is a violation of Due Care.

The Risk: While false positives are frustrating, the scanner is likely still identifying real "True Positives" (actual vulnerabilities). Turning it off creates a massive blind spot in your security posture, allowing known exploits to go unpatched.

The Better Approach: Rather than disabling the tool, you should "tune" it. In security operations, tuning is the process of refining a tool's configuration to reduce noise while maintaining detection capabilities.

B. Update the Scanner's Database
Vulnerability scanners rely on a signature database (often tied to the CVE—Common Vulnerabilities and Exposures list) to identify threats.

Why it's the Answer: Vulnerability signatures are constantly being refined by security vendors. A high rate of false positives often occurs because the scanner is using outdated "logic" to identify a vulnerability. For example, an old signature might flag a service as vulnerable based solely on a version number, while a newer signature might check for the presence of a specific patch that fixes the flaw.

First Step Logic: In the CISSP "order of operations," you always look for the most efficient, low-cost solution that addresses the root cause. Updating the database is a standard maintenance task that ensures the scanner is using the most accurate and "intelligent" detection logic available.

C. Perform a Penetration Test
A penetration test is a manual, deep-dive exercise where a human tester attempts to exploit vulnerabilities.

The Conflict: While a pen tester can manually verify if a "false positive" is indeed false, it is an extremely expensive and time-consuming way to fix a scanner's configuration issue.

The Proper Workflow: Typically, you use a vulnerability scan to find the "low-hanging fruit" and then use a penetration test to validate high-risk findings and explore complex attack paths. You do not use a pen test as a debugging tool for your automated scanners.

D. Reconfigure the Network Firewall
The network firewall and the vulnerability scanner serve two different purposes within the Defense in Depth strategy.

The Misalignment: A firewall controls traffic flow (who can talk to whom), whereas a scanner evaluates the "health" of the assets themselves.

The Danger: If you reconfigure a firewall based on incorrect data (false positives), you might accidentally block legitimate business traffic or, worse, open ports that should be closed, thinking you are "fixing" a reported issue that doesn't actually exist.

Key Takeaway for the CISSP Exam

• Data Accuracy Terms: > * False Positive: Scanner says there is a hole, but there isn't. (Wastes time).
• False Negative: Scanner says you are safe, but there is a hole. (The most dangerous result).
• True Positive: Scanner found a real hole. (Success).
• Tuning: The act of reducing False Positives by updating signatures and refining scan parameters.