patternModerate
How much of a security risk are published conceptual schema?
Viewed 0 times
muchriskareconceptualpublishedsecurityhowschema
Problem
I was requesting the conceptual schemas from a government agency's information system for my research. My request has been denied on the grounds of it being a security risk.
I don't really have extensive database experience so I can't verify that claim. Is disclosing your schema really that big of a security risk? I mean, those are pretty abstract and divorced from the hardware and software implementations. An explanation of how an attacker could exploit conceptual schemas would be appreciated. Thanks.
I don't really have extensive database experience so I can't verify that claim. Is disclosing your schema really that big of a security risk? I mean, those are pretty abstract and divorced from the hardware and software implementations. An explanation of how an attacker could exploit conceptual schemas would be appreciated. Thanks.
Solution
Agreed with gbn (so +1), but I think there are two other possibilities at play:
-
It is quite possible that their conceptual schema has a lot of overlap with their physical schema. Knowing table names gives you a decent head start in planning your SQL injection attacks.
-
It is very likely they don't have their conceptual schema documented. Organizations that let programmers design their own databases often don't have any rigour in their database design process, going straight to physical implementation without any initial design. They may not want to admit this, or they may not want to go to the time and trouble of back-creating a conceptual document that never existed.
Edit: OP has commented that the organization being asked for their conceptual schema is a governement agency. This to my mind adds another likely possibility:
Civil servants aren't known for their love of risk-taking and so a mid-level functionary in a government department is unlikely to stick their neck out and release information just in case it might draw the attention or ire of someone further up the hierarchy.
I do still think that #2 is the most likely.
-
It is quite possible that their conceptual schema has a lot of overlap with their physical schema. Knowing table names gives you a decent head start in planning your SQL injection attacks.
-
It is very likely they don't have their conceptual schema documented. Organizations that let programmers design their own databases often don't have any rigour in their database design process, going straight to physical implementation without any initial design. They may not want to admit this, or they may not want to go to the time and trouble of back-creating a conceptual document that never existed.
Edit: OP has commented that the organization being asked for their conceptual schema is a governement agency. This to my mind adds another likely possibility:
Civil servants aren't known for their love of risk-taking and so a mid-level functionary in a government department is unlikely to stick their neck out and release information just in case it might draw the attention or ire of someone further up the hierarchy.
I do still think that #2 is the most likely.
Context
StackExchange Database Administrators Q#14535, answer score: 12
Revisions (0)
No revisions yet.