CISA issues a Binding Operational Directive. An LA school district says ransomware operators missed most sensitive PII. An API protection report describes malicious transactions. Analysis of cyber risk in relation to SaaS applications. Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. And someone is making a nuisance of themself in Russia.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/11/191

Selected reading.
Binding Operational Directive 23-01 (CISA)
CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection (Cybersecurity and Infrastructure Security Agency) 
CISA aims to expand cyber defense service across fed agencies, potentially further (Federal News Network)
CISA directs federal agencies to track software and vulnerabilities (The Record by Recorded Future) 
Student, Teacher Data Not Affected in Los Angeles School District Hack (Wall Street Journal)
‘No evidence of widespread impact,’ LAUSD says of data released by hackers (KTLA) 
New API Threat Research Shows that Shadow APIs Are the Top Threat Vecto (Cequence Security)
Secureworks State of the Threat Report 2022: 52% of ransomware incidents over the past year started with compromise of unpatched remote services (Secureworks)
Russian Citizens Wage Cyberwar From Within (Kyiv Post)
Russian Hackers Take Aim at Kremlin Targets: Report (Infosecurity Magazine) Russian retail chain 'DNS' confirms hack after data leaked online (BleepingComputer)