ISC CC - CC - Certified in Cybersecurity

Digital signatures provide authentication, integrity, and non-repudiation. They confirm who sent a message and ensure it was not altered.

Confidentiality ensures information is accessible only to authorized individuals.

Attribute-Based Access Control (ABAC) grants access based on complex logical rules that evaluate attributes of the user, resource, action, and environment. Examples include user role, department, time of day, device type, and data sensitivity. These attributes are evaluated dynamically, allowing fine-grained and context-aware access decisions.

DAC allows owners to grant permissions, MAC uses labels and classifications, and RBAC assigns permissions based on roles. None of these provide the same level of flexibility as ABAC. Because ABAC supports complex, rule-based decisions, it is widely used in modern cloud environments and zero trust architectures.

Type 1 authentication refers tosomething you know, such as passwords or PINs. While widely used, this authentication method has several inherent weaknesses. Users may share credentials intentionally or unintentionally, reuse weak passwords across systems, or forget them altogether. Passwords can also be intercepted through phishing, keylogging, shoulder surfing, or man-in-the-middle attacks.

Because of these weaknesses, Type 1 authentication alone provides limited security assurance. Modern security frameworks strongly recommend supplementing knowledge-based authentication with additional factors, such as something you have (tokens) or something you are (biometrics), to form Multi-Factor Authentication (MFA).

Role-Based Access Control (RBAC) assigns permissions based on job roles, making it scalable and efficient for large organizations. It simplifies access management and supports least privilege.

Logical (technical) controls such as encryption, access controls, DLP, and firewalls directly prevent unauthorized data access and exfiltration.

A hub broadcasts incoming traffic toall connected devices, regardless of the destination. This creates unnecessary traffic and security risks. A switch, however, uses MAC address tables to forward trafficonly to the intended destination port, making it far more efficient and secure.

Hubs operate at OSI Layer 1, while switches operate at Layer 2. Because hubs broadcast traffic indiscriminately, they are rarely used in modern networks.

TLS Session Resumption is used to optimize the TLS handshake process by reducing the number of round trips required between the client and server. Instead of performing a full handshake, session resumption allows previously negotiated security parameters to be reused.

This significantly improves performance and reduces latency, especially for applications with frequent connections such as web services and APIs. Session resumption can be implemented using session IDs or session tickets.

TLS renegotiation re-establishes parameters mid-session, TLS heartbeat is unrelated and historically associated with vulnerabilities, and “TLS FastTrack” is not a valid standard. TLS Session Resumption is formally defined in TLS specifications and is widely used in modern secure communications.

In access control models, asubjectis an active entity that requests access to a resource. In this scenario, Derrick is the subject because he is the user initiating an action—logging into a system and attempting to read a file. Subjects can be users, processes, or systems acting on behalf of users.

Anobject, by contrast, is a passive entity that is being accessed, such as a file, database, printer, or network resource. The file Derrick wants to read is the object. Access control systems evaluate whether a subject has the appropriate permissions to perform an action (such as read, write, or execute) on an object.

This subject-object relationship is foundational to many security models, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Proper identification of subjects is essential for authentication, authorization, auditing, and accountability. By clearly defining who the subject is, organizations can enforce least privilege, track user actions, and maintain strong security governance across systems.