Connected and autonomous vehicles (CAVs) can fulfill the emerging demand for smart transportation on a global scale. Such innovations for transportation can bring manyfold benefits from fully autonomous driving services to proactive vehicle monitoring and traffic management. However, given the complexity involved in the deployment of CAVs, zero-tolerance safety, and security measures must be incorporated to avert vehicle immobilization, road accidents, disclosure of sensitive data, or any potential threats. In this article, we present a reference architecture of CAVs to investigate existing and emerging cyber threats and thus, derive a common attack taxonomy for a CAVs ecosystem based on our studies of academic literature and industry white papers. After that, we discuss security mechanisms for the CAVs ecosystem that can be useful for the safe and secure transportation of passengers from one destination to another. Our work can provide insights to security engineers and system architects for investigating security problems using a top-to-bottom approach and subsequently, identifying optimal security solutions for CAVs.