On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would “help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles.”  Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.  

This settlement was part of an ongoing FTC campaign to “stop overhyped advertising claims.”  A similar effort would serve the information security community well.  For example, one particular claim that causes me frequent grief is: “solution X detects and prevents advanced persistent threats.”  It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.

The definition of APT is highly debated and Hackers vs. Executive panelist Richard Bejtlich has done much to educate the community on the topic.  In fact, if you are attending our Security Forum in Las Vegas next week you can ask him for his perspective on APTs.  One thing I am certain of, we cannot buy a silver bullet to eliminate the APT threat.  There are certainly solutions on the market that can aid us in our battle. Richard talks about creating “friction" for our adversaries and our preventive security controls do this.  The more “friction” we can create for attackers the better.  Our objective is to slow the attackers down and make their mission more difficult to accomplish.  This will buy us time and if we have the proper visibility into our environments, we will be able to detect the threat.  We must operate knowing that prevention will fail and detection is a cornerstone of our defense. 

In addition to the settlement, the FTC is encouraging those who purchased these Shape-Ups to seek a refund.  If an APT strikes your organization will the vendor that made these false claims be fined, or will your organization be offered a refund?  I think not.  Perhaps we will even see Kim Kardashian at a RSA booth next year saying, "Try this Kardashian-approved solution, guaranteed to put an end to the APT threat."

Time to wrap this up, I need to lace up my Shape-Ups and take a relaxing walk at a glacial pace while the shoes magically tone my calves.