views:

96

answers:

4

We're about to undergo a project where we'll be handling highly sensitive data. Apart from encrypting the data I was thinking about obfuscating the table names.

So tEmployees would become t58633B7A for example. Would this be a useful to add? after all it's about building layers of security/prevention.

P.S. We'll map the obfuscated table names to the real names in our Data Access Layer

+13  A: 

This seems entirely superfluous. If an attacker has gained access to the database, then simply not knowing the table name is little protection in the grand scheme of things. You should spend your time, if anything, on better intrusion detection and protection mechanisms.

Joel Martinez
+1: Just have to look at foreign keys/etc to see relationships. If someone has DB account access, you have ***bigger*** problems
OMG Ponies
It would be trivial to rename the tables to whatever you want. If you see a column with data like 'Kevin', 'Bill', 'Judith', you're going to immediately guess it's a first name field. Effort is better expended in securing the database and all replicas so as to avoid leaking data in the first place. A lot of people secure the database server but forget to lock down back-up copies as diligently, for example.
tadman
+2  A: 

I would say it's probably a waste of time. If someone can hack your program enough that is has access to your database, then your screwed anyway and this hacker will figure out your silly obfuscation scheme in a heartbeat.

Earlz
+5  A: 

Although you will hear over and over again that security through obscurity is bad, it does help raise the bar to attack, so long as you keep in mind that it is not a solution.

For your particular case, I would say that the cost of maintaining, debugging, troubleshooting your database will outweigh the benefits from the tiny amount of perceived security.

0xfe
+3  A: 

What a complete waste of time.

Well, not really..... it does have the feature of scaring away actual talent during interviews, and might get you a mention on TheDailyWTF.

Eric H.
+1 because you made me chuckle
Earlz