There's a lot to learn, and a ton of places to start. I would build yourself a lab, you should be able to do it on any somewhat modern system. And for cheap, even free. (Walkthrough found here http://www.ethicalhacker.net/component/ ... ic,4394.0/
) The lab provides ample test space for you to practice all kinds of things, and can be modified to your needs.
If web testing strikes a fancy, maybe check out hackthissite.org, hellboundhackers.org or enigmagroup.org. I should warn, those places can be filled with some jerks, but they have plenty of challenges to test yourself on or to learn new things. I personally avoid the forums on those sites with all my strength. (Much nicer/smarter people here at EH)
All in all, in my opinion, step one is to learn about security as much as you can. You don't need to know how to do something to learn about what it is.
Also, look around for some groups in your area, 2600, Defcon groups, hackerspaces, ISSA, etc. I don't know a lot, but I learn more everytime I hang around people smarter than me. Not only will these connections help you to learn, but they can prove to be priceless when it comes time to find your first infosec job.