Some info on this here also https://www.bleepingcomputer.com/ne...ing-air-gapped-networks-via-usb-thumb-drives/
A couple of weeks ago I saw the "Zero Days" movie about Stuxnet. Quite a clever way to get malware running on machines I must say. I didn't realize that connecting an external drive could automatically infect a system.
The truth about usb sticks and sd cards is much worse than just the ability to transport malformed windows .lnk files. The memory in them is unreliable and requires complex error correction algorithms to keep them working. For this reason every one of them has a tiny microcontroller, I believe it is an ARM CPU or something similar. Even those tiny micro sd cards has one.These can be reprogrammed to do pretty much anything from a malware point of view and that this was done is undetectable in any practical way.
It don't just stop there. There's enough reading material throwed out there to last 20 lifetimes if you ask me. And the tons of different and so comical names given to different type of code works is a list suited perfectly for the Thoroughbred Racing Industry.
It's worth noting that the recent WannaCry infection of Victorian (Oz) traffic camera controllers was by... wait for it... a thumbdrive. Best-Practice security mandates removal or non-installation of anything not an internal drive. If you can stick something in, you will be infected. The usual vector is... wait for it... autorun.inf. Bare boxes with only a CAT-x plug at the back are easily available: no holes of any description including speaker cables and CD/DVD. Monitors and keyboards ditto.
The problem is not me on my box, it's employees on the company boxes. OTOH, yes a decent AE should be set to treat all removeable media as hostile and block without asking--that is, all minions' boxes have (insert VS here!) set to Autopilot and the shield and tray icon hidden. And yes anything that looks like a server really should have an AE installed. We hope the management does not use the server as their personal workstation However, my personal preference would be the company boxes have only the holes needed to connect to the company intranet, which includes the printer and scanner. That is, one RJ45 hole for one CAT-x cable. Employees do not need to conduct personal affairs on the company boxes. It's the difference between an effective software solution which can be reset by knowledgeable users on the one hand, and simple hardware which imposes a much higher difficulty level to be hacked.